gwfp.bas

提供进程监视[包括启动参数] 进程检测[包括启动参数] 网络连接检测 SSDT检测 BHO检测 IE插件检测 自启动项检测 -------程序部分[使用彩字显示] 包

Attribute VB_Name = "gwfp"
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Declare Function VirtualFree Lib "kernel32" (lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As String, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Public Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Public Const INFINITE = &HFFFFFFFF
Public Const PROCESS_VM_READ = &H10
Public Const TH32CS_SNAPPROCESS = &H2
Public Const MEM_COMMIT = 4096
Public Const PAGE_READWRITE = 4
Public Const PROCESS_CREATE_THREAD = (&H2)
Public Const PROCESS_VM_OPERATION = (&H8)
Public Const PROCESS_VM_WRITE = (&H20)
Private Const MEM_RELEASE = &H8000
Private Const MEM_DECOMMIT = &H4000
Public Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Public Function WriterRemoteData(ByVal pid As Long, ByVal pData As String) As Long
ph = OpenProcess(PROCESS_CREATE_THREAD + PROCESS_VM_OPERATION + PROCESS_VM_WRITE + PROCESS_VM_READ, False, pid)
Dim dwSize As Long
lpszdll = pData
dwSize = lstrlen(lpszdll) + 1
Dim nMa As Long
nMa = VirtualAllocEx(ph, 0, dwSize, MEM_COMMIT, PAGE_READWRITE)
Dim dwWritten As Long
If WriteProcessMemory(ph, nMa, lpszdll, dwSize, dwWritten) Then
   If dwWritten <> dwSize Then
   VirtualFreeEx ph, nMa, dwSize, MEM_COMMIT
    GoTo err01
   End If
Else
GoTo err01
End If
CloseHandle ph
WriterRemoteData = nMa
Exit Function
err01:
CloseHandle ph
WriterRemoteData = 0
End Function

Public Function GetRemoteData(ByVal pid As Long, ByVal ValRef As Long) As String
ph = OpenProcess(PROCESS_CREATE_THREAD + PROCESS_VM_OPERATION + PROCESS_VM_WRITE + PROCESS_VM_READ, False, pid)
If ph = 0 Then GetRemoteData = "读取失败": 'Exit Function
Dim buffpt(255) As Byte
ReadProcessMemory ph, ByVal ValRef, buffpt(0), 255, 0&
'If buffpt(0) = "" Then buffpt(0) = "读取失败"
GetRemoteData = buffpt
CloseHandle ph
End Function