Attribute VB_Name = "modHook"Private Declare Function NtCreateProcessEx Lib "NTDLL.DLL" (ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long, ByVal reserv As Long) As LongPrivate Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As LongPrivate Declare Function GetCurrentProcessId Lib "kernel32" () As LongPrivate Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As LongPrivate Const PROCESS_QUERY_INFORMATION As Long = (&H400)Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000Private Const SYNCHRONIZE As Long = &H100000Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)Private Type OBJECT_ATTRIBUTES Length As Long RootDirectory As Long ObjectName As Long Attributes As Long SecurityDescriptor As Long SecurityQualityOfService As LongEnd Type
Public gclsHookInfo As clsHookInfoPublic glngProcess As LongPublic glngSystemHandle As Long
Public Function NtCreateProcessExCallback(ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long, ByVal reserv As Long) As Long Dim hReturn As Long 'hParentProcess 指定为一个System用户进程的句柄,需要注意的是不要关闭此句柄 gclsHookInfo.HookStatus False hReturn = NtCreateProcessEx(ProcessHandle, AccessMask, ObjectAttributes, glngSystemHandle, InheritHandles, hSection, hDebugPort, hExceptionPort, reserv) gclsHookInfo.HookStatus True NtCreateProcessExCallback = hReturnEnd Function
Public Function GetFunAddr(lngFunAddr As Long) As Long GetFunAddr = lngFunAddrEnd Function
