I was about to start moving ~!~ But CSDN cannot be opened again. It may be because my RP is not good ...... Stick to the old technology learned over the past few days-code assembly for running remote threads

En ~ After all, I learned how to do it in my spare time.

VB. the code written in NET 2008 is mainly the VB6 code written by someone a few days ago. It runs well and can be changed to VB. NET 2008 is a bad thing. It runs well on the D325 U of the XP system and can be put on the TK55 book of the VISTA system. VB6 is okay ,.. NET. For this purpose, the code is completely rewritten.

Procedure:

1. Obtain the Process Handle using the ID and apply for a piece of memory for it:

'Obtain the processes of the other party
RemoteProcess = Process. getprocpolicyid (PID)
'Apply for 4 kb memory for the other process
AllocBaseAddress = VirtualAllocEx (RemoteProcess. Handle, 0, MEM_SIZE, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)

2. Build assembly code. There are two situations:

A. Add code

'Add integer
Protected Sub AddInt2Code (ByVal Value As Integer)
Dim bytes () As Byte = BitConverter. GetBytes (CInt (Value) 'Get Byte content
Add2Memory (bytes, PtrAddressOffset) 'Write parameter Stack
PtrAddressOffset + = 4' stack position pointer move backward
End Sub
'Add byte
Protected Sub AddByte2Code (ByVal Value As Byte)
Dim bytes (0) As Byte
Bytes (0) = Value
Add2Memory (bytes, PtrAddressOffset)
PtrAddressOffset + = 1
End Sub

'Add byte Arrays
Protected Sub AddBytes2Code (ByVal Value As Byte ())
Add2Memory (Value, PtrAddressOffset)
PtrAddressOffset + = Value. Length
End Sub

B. add data

Add2Memory (Value, ObjAddressOffset) 'writes data to the "Data Zone"
Dim odata As New mData records each data (address and length)
Odata. prt = ObjAddressOffset + AllocBaseAddress
Odata. len = Value. Length
DataArraylist. Add (odata)
ObjAddressOffset + = Value. length' stack data pointer moves backward
ObjAddressOffset + = ObjAddressOffset Mod 4' four-byte alignment

3. Run

'Run
Function Run () As Integer
Dim lngRet As Integer
Dim ThreadHwnd = CreateRemoteThread (RemoteProcess. Handle, 0, 0, AllocBaseAddress, 0, 0, 0)
WaitForSingleObject (ThreadHwnd, INFINITE)
GetExitCodeThread (ThreadHwnd, lngRet)
Return lngRet
End Function

4. Reclaim memory

Protected Overrides Sub Finalize ()
On Error Resume Next
VirtualFreeEx (RemoteProcess. Handle, AllocBaseAddress, MEM_AUTOFREE, MEM_RELEASE) 'releases the memory applied for by the other party
MyBase. Finalize ()
End Sub

Finished ~!~

The complete code is as follows:

 

Imports System. Runtime. InteropServices
''' <Summary>
''' Is used to run the ASM code in a remote thread.
'''Long thread is limited to 4 kb space:
''' The first 512 bytes are used for code, and the following are used for data
''' </Summary>
''' <Remarks> </remarks>
Public Class RunRemoteASMCode
'Custom constant
Private Const MEM_SIZE As Integer = & H1000 'applied for memory size
Private Const MEM_AUTOFREE As Integer = & h0' the system automatically determines the size when memory is released
Private Const INFINITE As Integer =-1 'wait time
'Default constant
Private Const MEM_COMMIT As Integer = & H1000
Private Const MEM_RESERVE As Integer = & H2000
Private Const MEM_RELEASE As Integer = & H8000
Private Const PAGE_EXECUTE_READWRITE As Integer = & H40

Protected AllocBaseAddress As Integer 'request the base address of the memory
Protected ThreadHwnd As Integer 'remote thread handle
Protected RemoteProcess As Process 'peer Process

Protected PtrAddressOffset As Integer code base address
Protected ObjAddressOffset As Integer 'data base address

Protected DataArraylist As New ArrayList

Sub New (ByVal PID As Integer)
Try
'Obtain the processes of the other party
RemoteProcess = Process. getprocpolicyid (PID)
'Apply for 4 kb memory for the other process
AllocBaseAddress = VirtualAllocEx (RemoteProcess. Handle, 0, MEM_SIZE, MEM_COMMIT Or MEM_RESERVE, PAGE_EXECUTE_READWRITE)
'Initialize parameter Stack pointer
ClearCodeAndData ()
Catch ex As Exception
Throw New Exception ("RunRemoteASMCode class initialization error", ex)
End Try
End Sub

'Add the data to the applied memory.
Protected Sub Add2Memory (ByVal Value () As Byte, ByVal AddressOffset As Integer)
WriteProcessMemory (RemoteProcess. Handle, AllocBaseAddress + AddressOffset, Value, Value. Length, 0)
End Sub

'Add data
Protected Function AddData (ByVal Value () As Byte) As Integer
If ObjAddressOffset + Value. Length> MEM_SIZE Then
'Msgbox ("the data exceeds the applied memory region and cannot continue ")
Return-1
Else
Dim ret As Integer = ObjAddressOffset
Add2Memory (Value, ObjAddressOffset) 'writes data to the "Data Zone"
Dim odata As New mData records each data (address and length)
Odata. prt = ObjAddressOffset + AllocBaseAddress
Odata. len = Value. Length
DataArraylist. Add (odata)
ObjAddressOffset + = Value. length' stack data pointer moves backward
ObjAddressOffset + = ObjAddressOffset Mod 4' four-byte alignment
Return ret
End If
End Function
'Add integer
Protected Sub AddInt2Code (ByVal Value As Integer)
Dim bytes () As Byte = BitConverter. GetBytes (CInt (Value) 'Get Byte content
Add2Memory (bytes, PtrAddressOffset) 'Write parameter Stack
PtrAddressOffset + = 4' stack position pointer move backward
End Sub
'Add byte
Protected Sub AddByte2Code (ByVal Value As Byte)
Dim bytes (0) As Byte
Bytes (0) = Value
Add2Memory (bytes, PtrAddressOffset)
PtrAddressOffset + = 1
End Sub
'Add byte Arrays
Protected Sub AddBytes2Code (ByVal Value As Byte ())
Add2Memory (Value, PtrAddressOffset)
PtrAddressOffset + = Value. Length
End Sub
'Run
Function Run () As Integer
Dim lngRet As Integer
Dim ThreadHwnd = CreateRemoteThread (RemoteProcess. Handle, 0, 0, AllocBaseAddress, 0, 0, 0)
WaitForSingleObject (ThreadHwnd, INFINITE)
GetExitCodeThread (ThreadHwnd, lngRet)
Return lngRet
End Function
'Clear the code and data (in fact, the pointer is not actually cleared, but the data segment information record table is indeed cleared)
Public Sub ClearCodeAndData ()
PtrAddressOffset = 0' the initialization parameter stack is the base address of the applied memory.
ObjAddressOffset = 512 'offset from the base address to 512 bytes for data use
DataArraylist. Clear ()
End Sub

Protected Overrides Sub Finalize ()
On Error Resume Next
VirtualFreeEx (RemoteProcess. Handle, AllocBaseAddress, MEM_AUTOFREE, MEM_RELEASE) 'releases the memory applied for by the other party
MyBase. Finalize ()
End Sub
'Used to record data segment information
Protected Class mData
Public prt As Integer address
Public len As Integer Length
End Class
End Class

 

In this way, you can run .... I didn't come up with any examples, but I had to learn how to compile it ...... And write this mainly to inject ......

 

Oh, too ~ First come here. Paste the result of a small test ~ Unfortunately, notepad ~~~

 

 

~~~ This is the form.

 

 

Dim api As RunRemoteAPI
Private Sub button#click (ByVal sender As System. Object, ByVal e As System. EventArgs) Handles Button1.Click
Try
Api = New RunRemoteAPI (CInt (TextBox1.Text ))
'Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long

TextBox3.Text = Hex (api. callRemoteAPIByName ("kernel32", "LoadLibraryA", New mFuncParam (System. text. ASCIIEncoding. ASCII. getBytes ("c: \ test. dll "))))

TextBox2.Text = Hex (api. BaseAddress)

'Enumerate the list of processes of the other party.
For Each m As ProcessModule In Process. getprocpolicyid (api. RotateProcess. Id). Modules
ListBox1.Items. Add (m. FileName)
Next

'Private Declare Function FreeLibrary Lib "kernel32" Alias "FreeLibrary" (ByVal hLibModule As Long) As Long
Api. CallRemoteAPIByName ("kernel32", "FreeLibrary", New mFuncParam (CInt ("& H" & TextBox3.Text )))

'Enumerate the list of processes of the other party.
For Each m As ProcessModule In Process. getprocpolicyid (api. RotateProcess. Id). Modules
ListBox2.Items. Add (m. FileName)
Next

'Private Declare Function GetWindowText Lib "user32" Alias "GetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String, ByVal cch As Long) As Long
Dim s (255) As Byte

Api. CallRemoteAPIByName ("user32", "GetWindowTextW", New mFuncParam (CInt (Me. Handle )),_
New mFuncParam (s ),_
New mFuncParam (s. Length ))
Button1.Text = System. Text. Encoding. Unicode. GetString (api. RemoteBytesFromIndex (1 ))
Catch ex As Exception
MsgBox (ex. ToString)
End Try
End Sub

 

On the basis of the above, we get this:

Public Class RunRemoteAPI: Inherits RunRemoteASMCode

Basically still available... There are still some shortcomings that need to be improved. They have not been completed yet...