下载文档原格式
要想控制拨号络,就要使⽤ Remote Access Service (RAS) API,这个API最早是在Windows for Workgroup 3.11中出现的,现在它已经成为Win32 API的⼀个组成部分。
挂断拨号络的函数叫RasHangUp,这个函数的功能和⽤法都很简单,它只有⼀个参数,就是要挂断的拨号络连接的句柄。
我们可以利⽤ RasEnumConnections 获得当前系统所有RAS连接(通常我们的系统在⼀个时刻只使⽤⼀个拨号络连接),利⽤这个函数我们就可以得到RasHangUp所需的句柄了。
不过RasEnumConnections 函数在Windows 95和Windows NT下的使⽤略有不同,限于篇幅我们只给出在Windows 95下调⽤该函数的例⼦。
读者可以从Win32 API的⼿册找到所有相关函数的详细介绍,不过VB的WIN32API.TXT中没有包括RAS API所需的声明语句,我们在下⾯给出解决本问题所需要的函数和结构声明。
为了运⾏下⾯这个例⼦,⾸先需要建⽴⼀个窗体,在窗体上放置⼀个按钮,然后输⼊以下语句:Option ExplicitPrivate Declare Function RasHangUp Lib "RasApi32.DLL" Alias "RasHangUpA" (ByVal hRasConn As Long) As Long Private Declare Function RasEnumConnections Lib "RasApi32.DLL" Alias "RasEnumConnectionsA" (lprasconn As Any, lpcb As Long,lpcConnections As Long) As LongConst RAS95_MaxEntryName = 256Const RAS95_MaxDeviceName = 128Const RAS_MaxDeviceType = 16Private Type RASCONN95 'set dwsize to 412 dwSize As Long hRasConn As Long szEntryName(RAS95_MaxEntryName) As Byte szDeviceType(RAS_MaxDeviceType) As Byte szDeviceName(RAS95_MaxDeviceName) As ByteEnd TypePrivate Sub Command1_Click() Dim lngRetCode As Long Dim lpcb As Long Dim lpcConnections As Long Dim intArraySize As Integer Dim intLooper As Integer ReDim lprasconn95(intArraySize) As RASCONN95 lprasconn95(0).dwSize = 412 lpcb = 256 * lprasconn95(0).dwSize lngRetCode = RasEnumConnections(lprasconn95(0), lpcb, lpcConnections) If lngRetCode = 0 Then If lpcConnections > 0 Then For intLooper = 0 To lpcConnections - 1 RasHangUp lprasconn95(intLooper).hRasConn Next intLooper Else MsgBox "没有拨号络连接!", vbInformation End If End IfEnd Sub运⾏时,按下按钮就可以断开拨号络的连接。
vba如何去屏蔽⼀些功能?看完这些代码你应该会得到启发!献给今⽇头条的朋友们:常⽤的屏蔽代码:mandBars(''Worksheet Menu Bar'').Enabled = False ''屏蔽菜单栏Application.DisplayFormulaBar = False ''屏蔽编辑栏Application.DisplayStatusBar = False ''屏蔽状态栏下⾯任选⼀组即可,不可同时出现。
mandBars(''Standard'').Visible = False ''屏蔽常⽤⼯具栏,右键可选mandBars(''Formatting'').Visible = False ''屏蔽格式⼯具栏,右键可选mandBars(''Standard'').Enabled = False ''去除常⽤⼯具栏,右键也删掉mandBars(''Formatting'').Enabled = False ''去除格式⼯具栏,右键也删掉mandBars(''Toolbar list'').Enabled = False ''屏蔽右键⼯具栏mandBars(''cell'').Enabled = False ''屏蔽单元格右键单击mandBars(''Column'').Enabled = False ''屏蔽列右键单击mandBars(''Row'').Enabled = False ''屏蔽⾏右键单击Application.Assistant.Visible = False ''应⽤程序的辅助的可见mandBars.DisableCustomize = True ''去除右键⼯具栏中的“⾃定义”ActiveWindow.DisplayHeadings = False ''屏蔽⾏号列标ActiveWindow.DisplayWorkbookTabs = False ''屏蔽⼯作表标签ActiveWindow.DisplayVerticalScrollBar = False ''屏蔽垂直滚动条ActiveWindow.DisplayHorizontalScrollBar = False ''屏蔽⽔平滚动条mandBars(''ply'').Enabled = False ''屏蔽⼯作表标签右键单击mandBars(''Visual basic'').Enabled = False ''屏蔽应⽤程序的<命令块>(''Visualbasic'' )的激活Application.OnKey ''%{f11}'', '' '' ''屏蔽组合键ALT+F11,%代表ALTApplication.OnKey ''%{F11}'' ''解除屏蔽ALT+F11Application.OnKey ''%{f8}'', '' '' ''屏蔽组合键ALT+F8Application.OnKey ''%{f8}'' ''解除屏蔽ALT+F8Application.OnKey ''^{f11}'', ''VBEdit'' ''屏蔽组合键Ctrl+F11,插⼊宏表,^代表CtrlApplication.OnKey ''^{f11}'' ''恢复组合键Ctrl+F11,插⼊宏表Application.OnKey ''^f'', '' '' ''屏蔽组合键Ctrl+F,查找Application.OnKey ''^h'', '' '' ''屏蔽组合键Ctrl+H,替换Application.OnKey ''^{Break}'', '' '' ''屏蔽CTRL+Break中断Application.OnKey ''^{Break}'' ''解除CTRL+Break中断崋说简单传播。
VBA与API接口的交互实现步骤VBA(Visual Basic for Applications)是一种用于Microsoft Office应用程序的编程语言,可以通过VBA与API接口进行交互实现各种功能。
本文将介绍VBA与API接口的基本概念、交互实现的步骤以及一些实际应用案例。
第一部分:VBA与API接口的基本概念1.1 VBA的基本概念VBA是一种基于Visual Basic语言的宏语言,它提供了一系列的对象、属性和方法来操作Office应用程序(如Excel、Word等)。
通过VBA,我们可以自动化执行各种计算和操作,提高工作效率。
1.2 API接口的基本概念API(Application Programming Interface)是一组定义了软件组件之间的通信协议和功能的接口。
通过API接口,不同的软件系统之间可以进行数据的传递和功能的调用,实现各种复杂的应用。
第二部分:VBA与API接口的交互实现步骤2.1 确定API接口在与API接口进行交互之前,首先需要了解所要访问的API接口的具体信息,包括接口地址、请求方式、参数等。
可以从官方文档、接口说明或者相关开发者平台中获取这些信息。
2.2 创建VBA对象在VBA中,可以使用CreateObject函数或者引用已有的库来创建与API接口交互的对象。
如果API接口是基于Web的,通常使用XMLHTTP或者WinHttpRequest对象;如果是基于RESTful的,可以使用MSXML2.XMLHTTP对象。
2.3 设置请求参数根据API接口的要求,设置相应的请求参数。
这些参数包括URL地址、HTTP请求方式、请求头信息、请求体等。
可以使用VBA的对象属性和方法来设置这些参数。
2.4 发送请求通过VBA代码发送HTTP请求到API接口,可以使用对象的Open、Send和SetRequestHeader等方法。
在发送请求之前,可以先对请求参数进行一些必要的验证和处理。
![[汇总]VB6实现对Windows消息的拦截](https://img.taocdn.com/s1/m/16135a739a6648d7c1c708a1284ac850ad02048b.png)
VB6实现对Windows消息的拦截众所周知,VB 的功能没有 VC++、Delphi 这样的全功能开发平台强大,但她也足以完成我们绝大部分的工作,只要你开动脑筋,敢想敢干,我们可以让 VB 发挥最大的效能,做出许多令人惊叹的软件。
开发高难度软件,并不只是 VC++ 和 Delphi 的专利!过去普遍认为 VB 无法自定义拦截 Windows 的消息,只能靠VB 本身提供的几个有限的事件来编程,这有很大的局限性。
缺少消息捕获,同时又被认为不支持回调函数机制(主要是因为 VB 没有指针,更谈不上函数指针),这造成了 VB 编程的很大局限性。
事实上,VB 可以采用别的办法变相地实现这一机制。
从 VB 5.0 开始就提供了 AddressOf 操作符,利用这个操作符可以获取 VB 自定义函数的地址。
有了函数地址就可以采用回调函数的机制了。
当然,VB 仍然无法实现 VB 函数之间的地址传递,她只支持 VB 函数到 DLL 的函数抵制传递。
但是,这已经足够了。
下面这个程序,就是采用了这一方法,程序中只有一个主窗体,通过设置属性,使得主窗体没有边框,没有标题栏,不能改变大小,不能通过标题栏托动。
但是通过拦截Windows 消息可以使得鼠标处在窗体中的任意位置都可以托动它,就像按住标题栏托动一样。
这个程序没有用到任何附加的控件,全部采用 VB 代码完成。
注意,请增加一个公共模块,以便声明一些函数和常数。
以下代码在 VB 6.0 中通过。
’ ===================================’ 这是公共模块的代码Attribute VB_Name = "Module1"Option ExplicitPublic Const WM_NCHITTEST = &H84Public Const VK_LBUTTON = &H1Public Const HTCAPTION = 2Public Const HTCLIENT = 1Public Declare Function GetAsyncKeyState Lib "user32" (ByVal vKey As Long) As IntegerPublic Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hwnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As LongPublic Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As LongPublic Const GWL_WNDPROC = -4Global lpPrevWndProc As LongGlobal gHW As Long’ 这里是关键,我自定义了一个窗口函数(回调函数),以替代 VB 窗体自己的默认窗口函数。
如何防⽌api接⼝被恶意调⽤或攻击⽆论⽹站,还是App⽬前基本都是基于api接⼝模式的开发,那么api的安全就尤为重要了。
⽬前攻击最常见的就是“短信轰炸机”,由于短信接⼝验证是App,⽹站检验⽤户⼿机号最真实的途径,使⽤短信验证码在提供便利的同时,也成了呗恶意攻击的对象,那么如何才能防⽌被恶意调⽤呢?1.图形验证码:将图形校验码和⼿机验证码进⾏绑定,在⽤户输⼊⼿机号码以后,需要输⼊图形校验码成功后才可以触发短信验证,这样能⽐较有效的防⽌恶意攻击。
⽬前⼤部分应⽤都是采⽤这种⽅式。
2.限定请求次数:在服务器端限定同IP,同设备,同时间范围内的接⼝请求次数。
⽐如同⼀号码重复发送的时间间隔,⼀般为60或120秒;设置每个IP每天最⼤的发送量;设置单个⼿机号每天的最⼤发送量。
3.流程条件限定:将⼿机短信验证放在最后进⾏,⽐如需要⽤户必须注册后,或者⽤不必须填写了某些条件才能进⾏短信验证。
4.归属地是否⼀致:服务器端检查⽤户的IP所在地与⼿机号归属地是否匹配,如果不匹配则提⽰⽤户⼿动操作等。
5.服务器接⼝验证:当⽤户登录成功后,返回⼀个由Token签名⽣成的秘钥信息(Token可使⽤base64编码和md5加密,可以放在请求的Header中),然后对每次后续请求进⾏Token的封装⽣成,服务器端在验证是否⼀致来判断请求是否通过。
(1)常规的⽅法:⽤户登陆后⽣成token,返回客户端,然后服务器使⽤AOP拦截controller⽅法,校验token的有效性,每次token是⼀样的;(2)⽤户登陆后⽣成临时token,存到服务器,并返回客户端,客户端下次请求时把此token传到服务器,验证token是否有效,有效就登陆成功,并⽣成新的token返回给客户端,让客户端在下⼀次请求的时候再传回进⾏判断,如此重复。
这种⽅法有性能问题,但也有⼀个漏洞,如果⽤户在⼀次请求后,还未进⾏下⼀次请求就已被⿊客拦截到登录信息并进⾏假冒登录,他⼀样可以登录成功并使⽤户强制下线,但这种⽅法已⼤⼤减少被假冒登录的机会。
vb api函数使用手册VB API(Application Programming Interface,应用程序编程接口)是一种供开发者使用的工具,它为开发者提供了一套标准的函数和方法,以便与特定软件或系统进行交互和通信。
VB API函数使用手册为开发者提供了相关的文档和说明,以帮助他们使用API中的函数进行编程。
以下是VB API函数使用手册的一些主要内容。
1.引言-简要介绍VB API及其作用;-提供VB API函数使用手册的目的和范围;-确定读者的预期水平和目标。
2.准备环境-提供VB API函数使用的开发环境和工具;-介绍如何安装和配置VB API;-提供示例代码和演示项目,以帮助开发者快速上手。
3. API函数基础知识-解释API函数的基本概念和术语;-介绍API函数的语法和参数;-提供示例代码,以帮助开发者理解和使用函数。
4. API函数列表-详细列出所有可用的API函数;-每个函数提供函数名称、参数说明和返回值说明;-提供示例代码,以帮助开发者了解函数的用途和使用方法。
5.常见问题和错误处理-列出开发者在使用API函数时常见的问题和错误;-提供解决方案和错误处理技巧;-提醒开发者注意事项和最佳实践。
6.附录-提供额外的参考资料和资源链接;-列出相关的文档和教程;-提供支持和联系信息,以便开发者获得进一步的帮助。
编写VB API函数使用手册时,需要注意以下几点:1.使用简单明了的语言和术语,以便开发者容易理解和掌握;2.提供丰富的示例代码和演示项目,以帮助开发者实际运用API函数;3.使用图表、表格和代码块等辅助工具,以提高可读性和易用性;4.按照逻辑顺序组织内容,以便开发者可以系统性地学习和参考。
总结:VB API函数使用手册是帮助开发者学习和使用VB API函数的重要工具。
它提供了必要的文档和说明,以帮助开发者理解API函数的用途和使用方法。
编写VB API函数使用手册需要使用简明清晰的语言,提供丰富的示例代码,并按照逻辑顺序组织内容,以便开发者可以轻松地掌握和应用API函数。
vb api函数使用手册一、简介VB(Visual Basic)是一种基于事件驱动的编程语言,广泛应用于Windows操作系统上的应用程序开发。
VB提供了强大的API (Application Programming Interface)函数库,可以用于访问操作系统的各种功能和资源。
本文将介绍一些常用的VB API函数及其使用方法。
二、API函数分类VB API函数可以分为以下几类:1.窗口和控件操作这类API函数可以用于创建、操纵和管理窗口和控件,以及处理窗口消息和事件。
- CreateWindowEx:创建一个具有扩展样式的窗口。
- SetWindowText:设置窗口标题文字。
- ShowWindow:显示或隐藏一个窗口。
- SendMessage:向窗口发送消息。
- GetWindowRect:获取窗口的客户区矩形。
2.文件和目录操作这类API函数可以用于访问、读写和管理文件和目录。
- CreateFile:创建或打开一个文件。
- ReadFile:从文件读取数据。
- WriteFile:将数据写入到文件。
- FindFirstFile/FindNextFile:查找文件。
- CreateDirectory:创建一个目录。
3.系统和进程操作这类API函数可以用于访问和管理操作系统和进程的信息。
- GetTickCount:获取系统启动后的毫秒数。
- GetSystemInfo:获取系统的硬件和配置信息。
- CreateProcess:创建一个新的进程。
- TerminateProcess:终止一个进程。
- EnumProcesses:枚举所有正在运行的进程。
4.网络通信这类API函数可以用于实现网络通信功能,如创建、连接和通信等。
- socket:创建一个套接字用于网络通信。
- bind:将套接字与一个本地地址绑定。
- connect:连接到一个远程地址。
- send/recv:发送和接收数据。
VB6中API函数的使用
一、什么是API函数
API(应用程序编程接口)函数是操作系统提供的一组函数,提供给
其它程序调用。
API允许软件开发者在调用接口时要求操作系统完成项工作。
二、Visual Basic6中使用API函数
Visual Basic6中使用API函数的方法有三种,它们分别是:
1.使用VBApi模块
VBApi模块可以帮助你实现API函数的调用。
它可以用在任何类型的
应用程序中,并且它可以用来调用任何的API函数,只需要在Visual Basic6中添加一个VBApi模块即可,添加方式如下:
2.使用Declare语句
Declare定义是用来定义Visual Basic程序和外部函数或DLL文件
中的特殊函数的语句。
[Public , Private][Static] Declare FunctionName AliasAliasname Lib"PathName"[(AsReturnType]
3.使用DLL
使用DLL是比使用VBApi模块和Declare语句更高级的API函数调用
方式,它可以大大简化调用过程。
在使用DLL之前,需要先配置DLL文件,具体步骤如下:
(1)将需要调用的DLL文件添加到Visual Basic的References中,这样Visual Basic就可以调用该DLL文件中的函数。
(2)添加Win32API模块,使用此模块可定义API函数的参数。
略论如何用API函数优化VB窗口程序金龙海;王旭东【摘要】本文提供了一个利用API函数优化VB窗口程序的实例,介绍了VB开发人员可通过调用API函数,在VB窗口程序运行前调用自己编写的函数,可做到拦截Windows消息,修改某些Windows消息对应的事件或屏蔽掉用户不需要的一些事件.%The paper provides an example that API functions are used to optimize the VB Window procedures. The paper also explains that VB developers can call the function written by them by calling API functions before the VB window procedure runs, so as to intercept Windows messages, modify some events which Windows messages correspond to, or shield some events the user does not need.【期刊名称】《吉林师范大学学报(自然科学版)》【年(卷),期】2012(033)003【总页数】3页(P55-56,60)【关键词】窗口程序;API函数;事件;消息【作者】金龙海;王旭东【作者单位】吉林大学公共计算机教学与研究中心,吉林长春130012;吉林大学公共计算机教学与研究中心,吉林长春130012【正文语种】中文【中图分类】TP311.1事件驱动模式是VB程序设计的主流,而VB又是在Windows下运行的,所以需要将从Windows得到的消息转化为VB中对应的事件.我们可以拦截Windows传给VB的消息,并修改对应的事件过程,或把自己不需要的一些事件过程屏幕掉,那么具体应该如何截获并处理呢?VB中,在窗口的内部,有一样最重要的东西称为“窗口程序”,它的用途是接收来自Windows的消息.当VB建立某个对象时,会为该对象提供一个窗口程序,窗口程序的功能是接收来自Windows的消息,并且将一部分消息转化成对应的事件,以驱动该消息所对应的事件过程[1].如图1所示.dows传过来的消息,由于消息都是常量或数值,所以该参数的类型是Long型.Msg参数接收的消息都是以WM开头的,如:WM_RBUTTONDOWN表示按下鼠标右键时传过来的消息值.窗口函数中需要调用一个DefWindowProc函数,此函数是为了减少窗口程序的负担所提供的函数.一般来说,Windows程序员使用switch和case结构来确定窗口过程接收的是什么消息,以及如何适当地处理它.窗口过程不予处理的所有消息应该被传给名为DefWindowProc的Windows函数.VB中每个窗口都对应的有一个窗口函数Wnd-Proc,该函数中有四个参数,我们重点需要了解下面两个参数的意思:(1)hWnd:消息发向的窗口的句柄,用来唯一标识窗口.(2)Msg:接收消息的参数.用来接收从Win-VB中Form1窗体上画三个文本框,三个文本框从上到下依次名为t1,t2,t3,建一个菜单,菜单的名称为“运算(Oper)”,该菜单下有四个命令按钮,分别为:加法(Add),减法(Sub),乘法(Add),除法(Div).该程序的功能是:当在前两个文本框中输入要计算的值,然后在第三个文本框中要得到它们的运算结果,我们可以为菜单中的每个命令按钮对应地编写程序[2].现在只要程序运行起来后,在t1和t2中输入要计算的值,之后点击运算菜单下的对应命令,即可在t3中得到结果.现在要实现的是在t3中点击鼠标右键,把“运算”这个菜单以快捷菜单方式弹出来,如图2所示.实现的方法是在VB中为t3的MouseDown事件加入下面代码:当程序运行的时候会发现,在t3中点击鼠标右键会出现快捷菜单(Oper),但每次都是先出现系统的快捷菜单,再点一下才会出现我们自己的菜单,那么如何改善呢,不让系统的快捷菜单出现呢?之所以在t3中单击鼠标右键会先出现系统的快捷菜单,是因为建立t3文本框时,文本框对应的窗口程序会接收来自Windows的右键消息,之后将该消息转化成为对应的事件,并驱动文本框对象的事件过程.文本框对应的窗口程序是隐藏起来的,我们无法去改编它来完善程序,只能按照窗口函数的样子自定义一个函数,实现自己所需要的功能了.自定义的函数:此函数的功能是:接收t3文本框传过来的句柄,捕捉到在t3中按下鼠标右键的消息,只弹出用户自定义的快捷菜单Oper,也就屏蔽掉了t3中系统默认的快捷菜单.但当我们让系统运行我们自定义的函数的时候,我们不可能把窗口程序原来提供的所有消息处理都补上,所以需要将其它消息交由原窗口程序来处理.CallWindowProc(pointWndProc,hWnd,Msg,wParam,lParam)语句就是实现调用原窗口程序的.该语句中pointWndProc是原窗口程序的地址,取得该地址的方法是:如何让VB程序运行的时候,不直接运行窗口函数,而是运行上面自定义函数呢?我们可以在窗口的Load事件中用如下的API函数来调用自定义函数.此程序中我们要修改的是t3中对应的事件,所以调用自定义函数时传过去的是t3的句柄,好让自定义函数能够接收到在t3中按下鼠标右键的消息.通过上面介绍的方法我们可以拦截Windows传给VB的消息,不让该消息对应的事件发生,或者用自编的函数来代替该消息所对应的事件,以优化VB窗口程序.【相关文献】[1]王国荣.Visual Basic 6.0与Windows API讲座[M].人民邮电出版社,2000.[2]刘圣才,李春葆.Visual Basic 6程序设计导学[M].清华大学出版社,2002.[3]曹丽华,谭振江.利用VB.NET设计LED电子广告牌[J].吉林师范大学学报(自然科学版),2010,31(1):141~143.[4]陈健.VB.NET多线程技术及其应用[J].吉林师范大学学报(自然科学版),2008,29(1):61~62.。
如何攔截API呼叫說明這是網友問的問題,雖然這個問題並不適合用VB做,但並不是做不到,要多繞一段路,這個問於執行檔中的IAT(Import Address Table) 如果你對於PE黨並不熟悉請參考PE檔簡介這一個Process再執行時,會將許多DLL載入到行程空間中,如呼叫User32.dll中的Message 須將User32.dll載入到位址空間,呼叫越多不同種的API,位址空間中的模組也就越多,至於行程所載入的模組請參考如何取得Process中載入的模組的資訊一般來說,如果是執行Notepad.exe 我們只要攔截模組Notepad.exe的IAT即可,除非你想Notepad.exe是否有透過其他DLL去執行要攔截的函數,才需要去攔截其他載入的模組這個程式整個攔截的過程如下1.在要攔截的程式上配置2塊記憶體空間,一塊用來放要攔截的程式,一塊用來放所需要域變數至於如何再外部程式配置記憶體請參考如何在外部程式配置記憶體AddressOfRemoteFunction=CreateRemoteMememory(SomeProcess,FunctionSize)AddressOfVar=CreateRemoteMememory(SomeProcess,DataSize)2.將要注射的函數寫到配置的位址空間並初使化變數Call WriteCodeTo(AddressOfRemoteFunction)[AddressOfVar]=1[AddressOfVar+256]=Old_FunctionAddress3.修改IAT位址到新配置的函數IAT[FunctionOrder]=AddressOfRemoteFunction4.監聽變數情形(注射的函數執行時會將[AddressOfVar]改為0)DoDoeventsLoop While [AddressOfVar] '不為0就繼續監視'為0時表示已經呼叫該函數MsgBox "抓到了"5.停止監視或繼續監視If StopHook Then[AddressOfVar]=1 '先讓Remote程式繼續執行IAT[FunctionIndex]=Old_FunctionAddress '恢復為原來位址Else[AddressOfVar]=1Goto Step4 '到步驟4繼續監視End If至於所注射的程式內容如下push eax ;先暫存Eax的值mov eax, 00000000 ;歸0mov dword ptr [AddressOfVar], eax ;將變數改為0 此時監視程式即可發覺lp1:cmp eax, dword ptr [AddressOfVar]je lp1;在監視程式未將變數改為1之前無限等待pop eax ;恢復eax的值;跳到原程式位址執行jmp dword ptr [AddressOfVar+256] ;其中=原來函數位址該注射函數必須用機器碼的方式填到位址中,如果不會轉換的話,請顯用編譯器將此組合語言譯後在取得他的機器碼即可此程式操作方法如下6.開啟記事本7.攔截行程選擇notepad.exe8.攔截模組也是選擇notepad.exe9.攔截函數選擇MessageBoxW - [USER32.dll]如果是9x系統請選擇MessageBoxA - [USER32.dll] 情形大概是這樣10.11.按下攔截12.在記事本視窗中隨便打上一些字然後將這個視窗關掉13.此時Hook程式就會攔截到而跳出以下訊息方塊14.15.此時只要按下確定就可以繼續攔截下次此函數的呼叫或是按下取消放棄監視程式16.當step8執行完後原MessageBox才會跳出來17.註:這個程式我是在XP底下開發的並沒有在9x的機器上測試如果在9x上執行會出問題請我程式'以下程式在Form中需要2個Command,3個ComboBoxOption ExplicitDim o As LongDim lret As LongDim cModules As LongDim lModuleBase() As LongDim cbModules As LongDim mImp As IMAGE_IMPORT_DESCRIPTORDim n_Addr1 As Long, n_Addr2 As LongDim Imp_p() As mImp_TableDim NumOfImp As LongDim RMM As myRemoteClsPrivate Sub Combo1_Click()Dim lIndex As LonglIndex = Combo1.ListIndexn_ProcessID = lProcessID(lIndex)Combo2.SetFocusEnd SubPrivate Sub Combo1_GotFocus()Combo1.ClearNum_Of_Process = 0Dim sName As StringDim hSnap As Long, proc As PROCESSENTRY32hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)If hSnap = hNull Then Exit Subproc.dwSize = Len(proc)If Process32First(hSnap, proc) ThenDosName = Trim0(proc.szExeFile)Combo1.AddItem "PID:" & Format(proc.th32ProcessID, "00000000") & " "ReDim Preserve lProcessID(Num_Of_Process)lProcessID(Num_Of_Process) = proc.th32ProcessIDNum_Of_Process = Num_Of_Process + 1Loop While Process32Next(hSnap, proc)End IfEnd SubPublic Sub GetModule(ByVal ProcessID As Long)Dim hSnapshot As LonghSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ProcessID)If hSnapshot = -1 ThenExit SubEnd IfDim sModuleName As StringDim ModEntry As MODULEENTRY32ModEntry.dwSize = LenB(ModEntry)If Module32First(hSnapshot, ModEntry) ThencbModules = 1DoReDim Preserve lModuleBase(1 To cbModules)sModuleName = Left$(ModEntry.szModule, InStr(1, ModEntry.szModule, Chr( lModuleBase(cbModules) = ModEntry.modBaseAddrbo2.AddItem sModuleName & "Module Bass Address:" & lModuleBase(cb cbModules = cbModules + 1Loop While Module32Next(hSnapshot, ModEntry)End IfCloseHandle hSnapshotEnd SubPrivate Sub Combo2_Click()Dim i As Longi = Combo2.ListIndexn_ModuleAddress = lModuleBase(i + 1)MsgBox n_ModuleAddressCombo3.SetFocusEnd SubPrivate Sub Combo2_GotFocus()Combo2.ClearGetModule n_ProcessIDEnd SubSub GetImports()Dim hProcess As LongDim o As DOS_MZ_HEADERDim p As PE_File_HeaderDim ord As Integer, i As Long, j As Long, tm As LongDim AddrFunc As LonghProcess = OpenProcess(PROCESS_ALL_ACCESS, 0&, n_ProcessID)If hProcess ThenReadProcessMemory hProcess, ByVal n_ModuleAddress, o, Len(o), tm '讀取DosIf o.e_magic <> "MZ" ThenMsgBox "Dos MZ 檔頭錯誤"Exit SubEnd If'Public Type PE_File_Header' SECTION As Long 'pe' FILE_HEADER As IMAGE_FILE_HEADER' OPTIONAL As IMAGE_OPTIONAL_HEADER' DataDirectory(0 To 15) As IMAGE_DATA_DIRECTORY '100'End Type'讀取PE Header 有四部份'讀取部分一ReadProcessMemory hProcess, ByVal n_ModuleAddress + o.e_lfanew, p.SECTION, Len(p.SECTION), tm '讀取部分一If p.SECTION <> PEMAGIC ThenMsgBox "PE檔頭錯誤"Exit SubEnd If'讀取部分二 IMAGE_FILE_HEADERReadProcessMemory hProcess, ByVal n_ModuleAddress + o.e_lfanew + Len(p.SECT p.FILE_HEADER, Len(p.FILE_HEADER), tm'讀取部分三 IMAGE_OPTIONAL_HEADERReadProcessMemory hProcess, ByVal n_ModuleAddress + o.e_lfanew + Len(p.SECT Len(p.FILE_HEADER), p.OPTIONAL, Len(p.OPTIONAL), tm'讀取部分四 IMAGE_DATA_DIRECTORYReadProcessMemory hProcess, ByVal n_ModuleAddress + o.e_lfanew + Len(p.SECT Len(p.FILE_HEADER) + Len(p.OPTIONAL), p.DataDirectory(0), Len(p.DataDirectory(0)Dim lDll As Long 'Import第幾個DllDim sName As String, sAddr As LongErase Imp_pNumOfImp = 0Dim ITD As IMAGE_IMPORT_BY_NAMEDim IAT As IMAGE_IMPORT_BY_ADDR'讀取Ord以及Function NameDim ts() As ByteReDim ts(260)Dim lOr As LongDim ILP_Address As Long, lpAddress As LongDim sModuleName As StringDo'讀取Import的部分ReadProcessMemory hProcess, ByVal n_ModuleAddress +p.DataDirectory(1).VirtualAddress + lDll * Len(mImp), mImp, Len(mImp), tmIf = 0 And mImp.OriginalFirstThunk = 0 Then Exit DoReadProcessMemory hProcess, ByVal n_ModuleAddress + , ts(0), 2 sModuleName = LPSTRtoBSTR(VarPtr(ts(0)))lDll = lDll + 1lOr = 0Do'讀取Import Lockup Table的Address 結構ReadProcessMemory hProcess, ByVal n_ModuleAddress + mImp.OriginalFir lOr * 4, ILP_Address, Len(ILP_Address), tmIf ILP_Address = 0 Then Exit DoReDim Preserve Imp_p(NumOfImp)'讀取OriginalFirstThunk所指的IMAGE_THUNK_DATA 結構Dim pon As Currency, lop As Longpon = n_ModuleAddresspon = pon + ILP_AddressIf pon > &H7FFFFFFF Thenpon = pon - &H7FFFFFFF - &H7FFFFFFF - 2End Iflop = ponReadProcessMemory hProcess, ByVal lop, ITD, Len(ITD), tm'紀錄HintImp_p(NumOfImp).lHint = ITD.Hint'讀取API NamesName = LPSTRtoBSTR(VarPtr(1(0)))Imp_p(NumOfImp).sFunctionName = sName & " - [" & sModuleName & "] Imp_p(NumOfImp).lIAT_Address = n_ModuleAddress + mImp.FirstThunk + Combo3.AddItem Imp_p(NumOfImp).sFunctionNameNumOfImp = NumOfImp + 1lOr = lOr + 1LoopLoopCloseHandle hProcessElseMsgBox "無訪開啟該Process"End IfEnd SubFunction LPSTRtoBSTR(ByVal lpsz As Long) As StringDim cChars As LongcChars = lstrlenA(lpsz)LPSTRtoBSTR = String$(cChars, 0)CopyMemory ByVal StrPtr(LPSTRtoBSTR), ByVal lpsz, cCharsLPSTRtoBSTR = Trim0(StrConv(LPSTRtoBSTR, vbUnicode))End FunctionPrivate Sub Combo3_Click()n_index = Combo3.ListIndexEnd SubPrivate Sub Combo3_GotFocus()Combo3.ClearGetImportsEnd Sub'將Long型態的變數寫到OpCode種Public Sub WLongToCode(hProcess As Long, lIndex As Long, ByVal lData As Long) Dim yu As LongWriteProcessMemory hProcess, ByVal lIndex, lData, 4&, yulIndex = lIndex + 4End Sub'將Byte型態的變數寫到OpCode種Public Sub WByteToCode(hProcess As Long, lIndex As Long, ByVal bData As Byte) Dim yu As LongWriteProcessMemory hProcess, ByVal lIndex, bData, 1&, yulIndex = lIndex + 1End SubPrivate Sub Command1_Click()Dim hProcess As Long, tm As Long, Data4 As LongCommand1.Enabled = FalseDim lFunc As Long, lVarAdd As Long, tmNuAdd As Longn_Ex = FalsehProcess = OpenProcess(PROCESS_ALL_ACCESS, 0&, n_ProcessID)If hProcess ThenReadProcessMemory hProcess, ByVal Imp_p(n_index).lIAT_Address, n_Old_Addres Len(n_Old_Address), tmMsgBox "old Address is" & Hex(n_Old_Address)lFunc = CreateMemory(n_ProcessID, 4096) '注射函數lVarAdd = CreateMemory(n_ProcessID, 4096) '注射變數'先將外部變數設為1 當攔截到API時變數會被設成0Data4 = 1WriteProcessMemory hProcess, ByVal lVarAdd, Data4, Len(Data4), tm'將函數原位址寫到lVarAdd + 256WriteProcessMemory hProcess, ByVal lVarAdd + 256, n_Old_Address, Len(n_Old_A tm'寫入攔截函數'----------------------------------------------------------------------- tmNuAdd = lFunc'Int 3'WByteToCode hProcess, tmNuAdd, &HCC'push eaxWByteToCode hProcess, tmNuAdd, &H50'mov eax, 00000000WByteToCode hProcess, tmNuAdd, &HB8WLongToCode hProcess, tmNuAdd, &H0'mov dword ptr [lVarAdd], eaxWByteToCode hProcess, tmNuAdd, &HA3WLongToCode hProcess, tmNuAdd, lVarAdd'lp1:'cmp eax, dword ptr [lVarAdd]WByteToCode hProcess, tmNuAdd, &H3BWByteToCode hProcess, tmNuAdd, &H5WLongToCode hProcess, tmNuAdd, lVarAdd'je lp1WByteToCode hProcess, tmNuAdd, &H74WByteToCode hProcess, tmNuAdd, &HF8'pop eaxWByteToCode hProcess, tmNuAdd, &H58'Int 3'WByteToCode hProcess, tmNuAdd, &HCC'jmp dword ptr [lVarAdd + 256] ;其中[lVarAdd + 256]=原來函數位址WByteToCode hProcess, tmNuAdd, &HFFWByteToCode hProcess, tmNuAdd, &H25WLongToCode hProcess, tmNuAdd, lVarAdd + 256 ''--------------------------------------------------------------------------'修改IAT AddressWriteProcessMemory hProcess, ByVal Imp_p(n_index).lIAT_Address, lFunc, Len(l'攔截處理Dim bProcessMemory As Long, RtnVDo'等待函數被攔截DoIf ReadProcessMemory(hProcess, ByVal lVarAdd, bProcessMemory,Len(bProcessMemory), tm) = 0 ThenMsgBox "嚴重錯誤"GoTo ExpEnd IfDoEventsIf n_Ex ThenGoTo ExpEnd IfLoop While bProcessMemoryMe.ShowRtnV = MsgBox("攔截到目標程式呼叫" & Imp_p(n_index).sFunctionName & vbC"要繼續攔截下次呼叫?", vbOKCancel, "抓到了")If RtnV = vbCancel ThenWriteProcessMemory hProcess, ByVal Imp_p(n_index).lIAT_Address,n_Old_Address, Len(n_Old_Address), tmbProcessMemory = 1WriteProcessMemory hProcess, ByVal lVarAdd, bProcessMemory,Len(bProcessMemory), tmExit DoEnd IfbProcessMemory = 1WriteProcessMemory hProcess, ByVal lVarAdd, bProcessMemory, Len(bProcess tmDoEventsLoopExp:DeleteMemory n_ProcessID, lFuncDeleteMemory n_ProcessID, lVarAddCloseHandle hProcessElseMsgBox "無訪開啟該Process"End IfCommand1.Enabled = TrueEnd SubPublic Function CreateMemory(ByVal ProcessID As Long, ByVal mSize As Long) As L CreateMemory = RMM.RemortMemoryAlloc(ProcessID, mSize)End FunctionPublic Sub DeleteMemory(ByVal ProcessID As Long, ByVal da As Long)RMM.RemortMemoryRemove ProcessID, daEnd SubPrivate Sub Command2_Click()Dim hProcess As Long, tm As LonghProcess = OpenProcess(PROCESS_ALL_ACCESS, 0&, n_ProcessID)If hProcess ThenWriteProcessMemory hProcess, ByVal Imp_p(n_index).lIAT_Address, n_Old_Addre Len(n_Old_Address), tmCloseHandle hProcessn_Ex = TrueElseMsgBox "無法開啟該Process"End IfEnd SubPrivate Sub Form_Load()Set RMM = New myRemoteClsEnd Sub'以下程式在Module1.bas中Public Const PROCESS_QUERY_INFORMATION = 1024Public Const PROCESS_VM_READ = 16Public Const STANDARD_RIGHTS_REQUIRED = &HF0000Public Const SYNCHRONIZE = &H100000Public Const PROCESS_ALL_ACCESS = &H1F0FFFPublic Const TH32CS_SNAPPROCESS = &H2&Public Const hNull = 0Public Const MAX_PATH = 260Public Const MAX_MODULE_NAME32 = 255Public Type MODULEENTRY32dwSize As Longth32ModuleID As Longth32ProcessID As LongGlblcntUsage As LongProccntUsage As LongmodBaseAddr As LongmodBaseSize As LonghModule As LongszModule As String * MAX_MODULE_NAME32szExePath As String * MAX_PATHEnd TypePublic Const TH32CS_SNAPHEAPLIST = &H1Public Const TH32CS_SNAPTHREAD = &H4Public Const TH32CS_SNAPMODULE = &H8Public Const TH32CS_SNAPALL = (TH32CS_SNAPHEAPLIST Or TH32CS_SNAPPROCESS Or TH32CS_SNAPTHREAD Or TH32CS_SNAPMODULE)Public Const TH32CS_INHERIT = &H80000000Public Declare Function Module32First Lib "kernel32" (ByVal hSnapshot As Long, MODULEENTRY32) As LongPublic Declare Function Module32Next Lib "kernel32" (ByVal hSnapshot As Long, l MODULEENTRY32) As LongPublic lProcessID() As LongPublic Num_Of_Process As LongPublic n_ProcessID As LongPublic n_ModuleAddress As LongPublic n_index As LongPublic n_Old_Address As LongPublic n_Ex As BooleanPublic Function Trim0(sName As String) As StringDim x As Integerx = InStr(sName, Chr$(0))If x > 0 Then Trim0 = Left$(sName, x - 1) Else Trim0 = sName End Function'以下程式在Module2.bas中Option ExplicitPublic Const IMAGE_DOS_SIGNATURE As Integer = &H5A4D ' MZ Public Const IMAGE_OS2_SIGNATURE As Integer = &H454E ' NE Public Const IMAGE_OS2_SIGNATURE_LE As Integer = &H454C 'LE Public Const IMAGE_NT_SIGNATURE As Long = &H4550 ' PE00Public Type DOS_MZ_HEADERe_magic As String * 2 ' Magic numbere_cblp As Integer 'Bytes on last page of filee_cp As Integer 'Pages in filee_crlc As Integer 'Relocationse_cparhdr As Integer 'Size of header in paragraphse_minalloc As Integer ' Minimum extra paragraphs needed e_maxalloc As Integer ' Maximum extra paragraphs needed e_ss As Integer 'Initial (relative) SS valuee_sp As Integer 'Initial SP valuee_csum As Integer 'Checksume_ip As Integer 'Initial IP valuee_cs As Integer 'Initial (relative) CS valuee_lfarlc As Integer 'File address of relocation tablee_ovno As Integer 'Overlay numbere_res(0 To 3) As Integer 'Reserved wordse_oemid As Integer 'OEM identifier (for e_oeminfo)e_oeminfo As Integer 'OEM information; e_oemid specific e_res2(0 To 9) As Integer 'Reserved wordse_lfanew As Long ' File address of new exe headerEnd Type'CPU TypePublic Const CPU_UNKNOW As Integer = &H0Public Const CPU_80386 As Integer = &H14CPublic Const CPU_80486 As Integer = &H14DPublic Const CPU_Pentium As Integer = &H14EPublic Const CPU_MIPS_R2000 As Integer = &H162Public Const CPU_MIPS_R3000 As Integer = &H162Public Const CPU_MIPS_R6000 As Integer = &H163Public Const CPU_MIPS_R4000 As Integer = &H166Public Const IMAGE_SIZEOF_SHORT_NAME = 8Public Type IMAGE_SECTION_HEADERName As String * IMAGE_SIZEOF_SHORT_NAMEPhysicalAddress_or_VirtualSize As Long 'or VirtualSize VirtualAddress As LongSizeOfRawData As LongPointerToRawData As LongPointerToRelocations As LongPointerToLinenumbers As LongNumberOfRelocations As IntegerNumberOfLinenumbers As IntegerCharacteristics As LongEnd Type'Image Section typePublic Const IMAGE_SCN_CNT_CODE As Long = &H20Public Const IMAGE_SCN_CNT_INITIALIZED_DATA As Long = &H40 Public Const IMAGE_SCN_CNT_UNINITIALIZED_DATA As Long = &H80 Public Const IMAGE_SCN_LNK_INFO As Long = &H200Public Const IMAGE_SCN_LNK_REMOVE As Long = &H800Public Const IMAGE_SCN_LNK_COMDAT As Long = &H1000Public Const IMAGE_SCN_MEM_FARDATA As Long = &H8000Public Const IMAGE_SCN_MEM_PURGEABLE As Long = &H20000 Public Const IMAGE_SCN_MEM_LOCKED As Long = &H40000Public Const IMAGE_SCN_MEM_PRELOAD As Long = &H80000Public Const IMAGE_SCN_LNK_NRELOC_OVFL As Long = &H1000000 Public Const IMAGE_SCN_MEM_DISCARDABLE As Long = &H2000000 Public Const IMAGE_SCN_MEM_NOT_CACHED As Long = &H4000000 Public Const IMAGE_SCN_MEM_NOT_PAGED As Long = &H8000000 Public Const IMAGE_SCN_MEM_SHARED As Long = &H10000000 Public Const IMAGE_SCN_MEM_EXECUTE As Long = &H20000000 Public Const IMAGE_SCN_MEM_READ As Long = &H40000000Public Const IMAGE_SCN_MEM_WRITE As Long = &H80000000 Public Type IMAGE_IMPORT_DESCRIPTOROriginalFirstThunk As LongTimeDateStamp As LongForwarderChain As LongName As LongFirstThunk As LongEnd TypePublic Type IMAGE_IMPORT_BY_NAMEHint As IntegerName1(256) As ByteEnd TypePublic Type IMAGE_IMPORT_BY_ADDR'Hint As IntegerADDR As LongEnd TypePublic Type IMAGE_FILE_HEADERMachine As IntegerNumberOfSections As IntegerTimeDateStamp As LongPointerToSymbolTable As LongNumberOfSymbols As LongSizeOfOptionalHeader As IntegerCharacteristics As IntegerEnd Type'-----------------------------------------------' COFF File headerPublic Type IMAGE_COFF_HEADER ' 20 bytesMachine As IntegerNumberOfSections As IntegerTimeDateStamp As LongPointerToSymbolTable As LongNumberOfSymbols As LongSizeOfOptionalHeader As IntegerCharacteristics As IntegerEnd TypePublic Const IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 15'FLAGSPublic Const IMAGE_FILE_RELOCS_STRIPPED As Integer = &H1 Public Const IMAGE_FILE_EXECUTABLE_IMAGE As Integer = &H2 Public Const IMAGE_FILE_LINE_NUMS_STRIPPED As Integer = &H4Public Const IMAGE_FILE_LOCAL_SYMS_STRIPPED As Integer = &H8 Public Const IMAGE_FILE_AGGRESIVE_WS_TRIM As Integer = &H10Public Const IMAGE_FILE_BYTES_REVERSED_LO As Integer = &H80Public Const IMAGE_FILE_32BIT_MACHINE As Integer = &H100Public Const IMAGE_FILE_DEBUG_STRIPPED As Integer = &H200Public Const IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP As Integer = &H400 Public Const IMAGE_FILE_NET_RUN_FROM_SWAP As Integer = &H800 Public Const IMAGE_FILE_SYSTEM As Integer = &H1000Public Const IMAGE_FILE_DLL As Integer = &H2000Public Const IMAGE_FILE_UP_SYSTEM_ONLY As Integer = &H4000'SUB_SYSTEMPublic Const SUB_SYS_UNKNOW As Integer = &H0Public Const SUB_SYS_NATIVE As Integer = &H1Public Const SUB_SYS_WINDOWS_GUI As Integer = &H2Public Const SUB_SYS_WINDOWS_CHARACTER As Integer = &H3Public Const SUB_SYS_OS2_CHARACTER As Integer = &H5Public Const SUB_SYS_POSIX_CHARACTER As Integer = &H7'DLL FlagsPublic Const DLL_FLAGS_PRE_PROCESS_INIT As Integer = &H1Public Const DLL_FLAGS_PRE_PROCESS_TER As Integer = &H2Public Const DLL_FLAGS_PRE_THREAD_INIT As Integer = &H4Public Const DLL_FLAGS_PRE_THREAD_TER As Integer = &H8Public Type IMAGE_DATA_DIRECTORYVirtualAddress As LongSize As LongEnd TypePublic Type IMAGE_OPTIONAL_HEADERMagic As IntegerMajorLinkerVersion As ByteMinorLinkerVersion As ByteSizeOfCode As LongSizeOfInitializedData As LongSizeOfUninitializedData As LongAddressOfEntryPoint As LongBaseOfCode As LongBaseOfData As Long' NT additional fields.24ImageBase As Long '28SectionAlignment As Long '32FileAlignment As Long '36MajorOperatingSystemVersion As IntegerMinorOperatingSystemVersion As Integer '40MajorImageVersion As IntegerMinorImageVersion As Integer '44MajorSubsystemVersion As IntegerMinorSubsystemVersion As Integer '48Reserved1 As Long '56SizeOfImage As Long '60SizeOfHeaders As Long '64CheckSum As Long '68Subsystem As Integer '70DllCharacteristics As Integer '72SizeOfStackReserve As Long '76SizeOfStackCommit As Long '80SizeOfHeapReserve As Long '84SizeOfHeapCommit As Long '88LoaderFlags As Long '92NumberOfRvaAndSizes As Long '96End TypePublic Type PE_File_HeaderSECTION As Long 'peFILE_HEADER As IMAGE_FILE_HEADEROPTIONAL As IMAGE_OPTIONAL_HEADERDataDirectory(0 To IMAGE_NUMBEROF_DIRECTORY_ENTRIES) As IMAGE_DATA_DIRECTOR End Type'---------------------------------------------------Public Type IMAGE_NT_HEADERSSignature As LongFileHeader As IMAGE_FILE_HEADEROptionalHeader As IMAGE_OPTIONAL_HEADERDataDirectory(0 To IMAGE_NUMBEROF_DIRECTORY_ENTRIES) As IMAGE_DATA_DIRECTOR End TypePublic Type IMAGE_PE_FILE_HEADER ' 256 bytesSignature As Long ' 4 bytes -- PE signatureFileHeader As IMAGE_COFF_HEADER ' 20 bytes -- This is the COFF he OptionalHeader As IMAGE_OPTIONAL_HEADER ' 232 bytesEnd TypePublic Type IMAGE_EXPORT_DIRECTORYCharacteristics As LongTimeDateStamp As LongMajorVersion As IntegerMinorVersion As IntegerName As LongBase As LongNumberOfNames As LongNumberOfFunctions As LongAddressOfFunctions As LongAddressOfNames As LongAddressOfNameOrdinals As LongEnd TypePublic Const ENEWHDR As Long = &H3C '/* offset of new EXE header */Public Const EMAGIC As Integer = &H5A4D '/* old EXE magic id: 'MZ' */Public Const PEMAGIC As Long = &H4550 '/* NT portable executable */ Public Const PAGE_NOACCESS = &H1Public Const PAGE_READONLY = &H2Public Const PAGE_READWRITE = &H4Public Const PAGE_WRITECOPY = &H8Public Const PAGE_EXECUTE = &H10Public Const PAGE_EXECUTE_READ = &H20Public Const PAGE_EXECUTE_READWRITE = &H40Public Const PAGE_EXECUTE_WRITECOPY = &H80Public Const PAGE_GUARD = &H100Public Const PAGE_NOCACHE = &H200Public Const MEM_COMMIT = &H1000Public Const MEM_RESERVE = &H2000Public Const MEM_DECOMMIT = &H4000Public Const MEM_RELEASE = &H8000Public Const MEM_FREE = &H10000Public Const MEM_PRIVATE = &H20000Public Const MEM_MAPPED = &H40000Public Const MEM_RESET = &H80000Public Const MEM_TOP_DOWN = &H100000Public Const MEM_4MB_PAGES = &H80000000Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, l As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As LongPublic Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpA Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As LongPublic Declare Function GetLastError Lib "kernel32" () As Long' ----------' API errors' ----------Public Const FORMAT_MESSAGE_FROM_SYSTEM = &H1000Public Const FORMAT_MESSAGE_IGNORE_INSERTS = &H200Declare Function FormatMessage Lib "kernel32" Alias "FormatMessageA" ( _ByVal dwFlags As Long, lpSource As Any, ByVal dwMessageId As Long, _ByVal dwLanguageId As Long, ByVal lpBuffer As String, _ByVal nSize As Long, ByVal Arguments As Long) As LongPublic Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" lpModuleName As String) As LongPublic Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As LongPublic Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, B lpProcName As String) As LongPublic Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (By lpPrevWndFunc As Long, ByVal hwnd As Long, ByVal Msg As Long, ByVal wParam As Lo lParam As Long) As LongPublic Declare Function FreeLibrary Lib "kernel32" (ByVal hLibModule As Long) A Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpDest As Any, As Any, ByVal cBytes As Long)Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Lon lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As LongPublic Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Lo lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As LongPublic Const LOADLIBRARY16_ORD As Integer = 35Public Const FREELIBRARY16_ORD As Integer = 36Public Const GETPROCADDRESS16_ORD As Integer = 37Public opIndex As Long '寫入位置Dim OpCode() As Byte 'Assembly 的OPCODEPublic Type Exp_TabsFunctionName As StringlOrd As IntegerEnd TypePublic Type mImp_TablelIAT_Address As LongsFunctionName As StringlHint As IntegerEnd Type'以下程式在myRemoteCls.cls中Option ExplicitPrivate Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, l As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As LongPrivate Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, l As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long'Process 操作Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Lon bInheritHandle As Long, ByVal dwProcessId As Long) As LongPrivate Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) AsPrivate Type OSVERSIONINFOdwOSVersionInfoSize As LongdwMajorVersion As LongdwMinorVersion As LongdwBuildNumber As LongdwPlatformId As LongszCSDVersion As String * 128 ' Maintenance string for PSS usage End TypePrivate Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" _ (lpVersionInformation As OSVERSIONINFO) As LongPrivate Const VER_PLATFORM_WIN32_NT = 2Private Const VER_PLATFORM_WIN32_WINDOWS = 1Private Const VER_PLATFORM_WIN32s = 0Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination Source As Long, ByVal Length As Long)Private Declare Function CreateFileMapping Lib "kernel32" Alias "CreateFileMapping hFile As Long, lpFileMappigAttributes As Any, ByVal flProtect As Long, ByVal dwMaximumSizeHigh As Long, ByVal dwMaximumSizeLow As Long, ByVal lpName As String Private Declare Function MapViewOfFile Lib "kernel32" (ByVal hFileMappingObject ByVal dwDesiredAccess As Long, ByVal dwFileOffsetHigh As Long, ByVal dwFileOffs Long, ByVal dwNumberOfBytesToMap As Long) As LongPrivate Declare Function UnmapViewOfFile Lib "kernel32" (lpBaseAddress As Any) Private Const GENERIC_READ = &H80000000Private Const GENERIC_WRITE = &H40000000Private Const OPEN_ALWAYS = 4Private Const FILE_ATTRIBUTE_NORMAL = &H80Private Const SECTION_MAP_WRITE = &H2Private Const FILE_MAP_WRITE = SECTION_MAP_WRITEPrivate Const PAGE_READWRITE As Long = &H4Private Const MEM_HANDLE As Long = &HFFFFFFFFPrivate Declare Function CoCreateGuid Lib "ole32.dll" (lpGUID As Any) As Long Private Declare Function StringFromGUID2 Lib "ole32" (lpGUID As Any, ByVal lpStr A ByVal lSize As Long) As LongPrivate Type FileMapiCount As IntegerAddressOfFileMap() As LonghFileMap() As LongtProcessID() As LongiIndex As IntegerEnd TypeDim UseMap As FileMap'Process 參數Private Const STANDARD_RIGHTS_REQUIRED = &HF0000Private Const SYNCHRONIZE = &H100000Private Const SPECIFIC_RIGHTS_ALL = &HFFFFPrivate Const STANDARD_RIGHTS_ALL = &H1F0000Private Const PROCESS_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or & Private Const PROCESS_VM_OPERATION = &H8&Private Const PROCESS_VM_READ = &H10&Private Const PROCESS_VM_WRITE = &H20&Private Const PROCESS_QUERY_INFORMATION = 1024'記憶體型態Private Const MEM_COMMIT = &H1000Private Const MEM_RESERVE = &H2000Private Const MEM_DECOMMIT = &H4000Private Const MEM_RELEASE = &H8000Private Const MEM_FREE = &H10000Private Const MEM_PRIVATE = &H20000Private Const MEM_MAPPED = &H40000Private Const MEM_RESET = &H80000Private Const MEM_TOP_DOWN = &H100000Private Const MEM_4MB_PAGES = &H80000000Private Const SEC_IMAGE = &H1000000。
