高中时候写的最”自豪”的一段代码,这里贴出来留个纪念
还记得当年是用“方块ACE“这个ID在breeze356论坛上的时候,为了能让YLMH过”掌门人对战平台“的”模块隐藏“这个反外挂机制弄的。虽然在CSDN博客上有个VB的例子,但是并不能直接使用,最后还是参照着C++的代码硬写了出来。。。
VB6.0编译通过

'模块信息
'模块名称: modPrintProcessModules
'模块功能: 枚举(隐藏)模块
'模块作者: 方块ACE

Option Explicit

Private Const PROCESS_ALL_ACCESS = &H1F0FFF

Private Type CLIENT_ID
    UniqueProcess As Long
    UniqueThread As Long
End Type

Private Type OBJECT_ATTRIBUTES
    Length As Long
    RootDirectory As Long
    ObjectName As Long
    Attributes As Long
    SecurityDescriptor As Long
    SecurityQualityOfService As Long
End Type

Private Type MEMORY_BASIC_INFORMATION
          BaseAddress   As Long
          AllocationBase   As Long
          AllocationProtect   As Long
          RegionSize   As Long
          State   As Long
          Protect   As Long
          Type   As Long
End Type

Private Declare Function NtOpenProcess Lib "ntdll.dll" ( _
                ByRef ProcessHandle As Long, _
                ByVal AccessMask As Long, _
                ByRef ObjectAttributes As OBJECT_ATTRIBUTES, _
                ByRef ClientId As CLIENT_ID) As Long

Private Declare Function NtClose Lib "ntdll.dll" (ByVal ObjectHandle As Long) As Long

Private Declare Function ZwQueryVirtualMemory Lib "ntdll" ( _
                ByVal ProcessHandle As Long, _
                ByVal BaseAddress As Long, _
                ByVal MemoryInformationClass As Long, _
                ByVal pMemoryInformation As Long, _
                ByVal MemoryInformationLength As Long, _
                ByVal pReturnLength As Long) As Long

Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" ( _
            ByVal pDst As Long, _
            ByVal pSrc As Long, _
            ByVal ByteLen As Long)

Private Function NT_SUCCESS(ByVal nStatus As Long) As Boolean
        NT_SUCCESS = (nStatus >= 0)
End Function

Public Sub PrintProcessModules(ByVal dwProcessId As Long)
    Dim objCid As CLIENT_ID
    Dim objOa As OBJECT_ATTRIBUTES
    Dim hProcess As Long
    Dim dwVirtualAddr As Long
    Dim dwRet As Long
    Dim mbi As MEMORY_BASIC_INFORMATION
    Dim buffer(255) As Byte
    Dim ModuleName() As Byte
    Dim LastBase As Long
    Dim ntStatus As Long

    objOa.Length = Len(objOa)
    objCid.UniqueProcess = dwProcessId
    ntStatus = NtOpenProcess(hProcess, PROCESS_ALL_ACCESS, objOa, objCid)
    If hProcess = 0 Then
        MsgBox "无法打开进程", vbOKOnly, "提示"
        Exit Sub
    End If
    dwVirtualAddr = &H10000
    Do
        ntStatus = ZwQueryVirtualMemory(hProcess, dwVirtualAddr, 0, VarPtr(mbi), 28, VarPtr(dwRet))
        If NT_SUCCESS(ntStatus) Then
            If mbi.AllocationBase <> LastBase Then
                LastBase = mbi.AllocationBase
                ntStatus = ZwQueryVirtualMemory(hProcess, dwVirtualAddr, 2, VarPtr(buffer(0)), 256, VarPtr(dwRet))
                If NT_SUCCESS(ntStatus) Then
                    dwRet = 0
                    CopyMemory VarPtr(dwRet), VarPtr(buffer(0)), 2
                    If dwRet > 0 Then
                        ReDim ModuleName(dwRet - 1)
                        CopyMemory VarPtr(ModuleName(0)), VarPtr(buffer(8)), dwRet
                        Form1.List1.AddItem ModuleName'ModuleName包含的模块的路径
                        Form1.List1.AddItem Hex(dwVirtualAddr)'模块基址
                        dwVirtualAddr = mbi.AllocationBase + mbi.RegionSize
                        dwVirtualAddr = dwVirtualAddr And &HFFFF0000
                    End If
                End If
            Else
            dwVirtualAddr = dwVirtualAddr + mbi.RegionSize
            dwVirtualAddr = dwVirtualAddr + mbi.RegionSize Mod &H1000
            GoTo NextLoop
            End If
        End If
        dwVirtualAddr = dwVirtualAddr + &H1000
NextLoop:
    Loop While dwVirtualAddr < &H7FFF0000

End Sub

自从接触C#后已经好久没跟API打交道了,现在看起来真是感慨万千。。。

欢迎留言

0+7=