07-17-2023, 11:55 AM
(This post was last modified: 07-17-2023, 12:25 PM by SpriggsySpriggs.)
That reminds me a lot of my PeepingTom code
Code: (Select All)
'Begin $INCLUDE
Type PROCESSENTRY32
As Long dwSize, cntUsage, th32ProcessID
$If 64BIT Then
As String * 4 padding
$End If
As _Unsigned _Offset th32DefaultHeapID
As Long th32ModuleID, cntThreads, th32ParentProcessID, pcPriClassBase, dwFlags
As String * 260 szExeFile
End Type
Const PROCESS_VM_READ = &H0010
Const PROCESS_QUERY_INFORMATION = &H0400
Const PROCESS_VM_WRITE = &H0020
Const PROCESS_VM_OPERATION = &H0008
Const TH32CS_SNAPPROCESS = &H00000002
Const TOM_FALSE = 0
Declare Dynamic Library "Kernel32"
Function CreateToolhelp32Snapshot%& (ByVal dwFlags As Long, Byval th32ProcessID As Long)
Function Process32First%% (ByVal hSnapshot As _Offset, Byval lppe As _Offset)
Function Process32Next%% (ByVal hSnapshot As _Offset, Byval lppe As _Offset)
End Declare
Declare CustomType Library
Function OpenProcess%& (ByVal dwDesiredAccess As Long, Byval bInheritHandle As Long, Byval dwProcessId As _Unsigned Long)
Function ReadProcessMemory%% (ByVal hProcess As _Offset, Byval lpBaseAddress As _Offset, Byval lpBuffer As _Offset, Byval nSize As _Offset, Byval lpNumberOfBytesRead As _Offset)
Function WriteProcessMemory%% (ByVal hProcess As _Offset, Byval lpBaseAddress As _Offset, Byval lpBuffer As _Offset, Byval nSize As _Offset, Byval lpNumberOfBytesWritten As _Offset)
Sub TomCloseHandle Alias "CloseHandle" (ByVal hObject As _Offset)
Function strlen& (ByVal ptr As _Unsigned _Offset)
End Declare
Function PeekByte%% (process As String, address As _Unsigned _Offset)
Dim As _Offset hProcessSnap, hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim As _Byte memo
Dim As _Byte result
memo = ReadProcessMemory(hProcess, address, _Offset(result), 1, 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PeekByte = result
End Function
Function PokeByte% (process As String, address As _Unsigned _Offset, value As _Byte)
Dim As _Offset hProcessSnap
Dim As _Offset hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim memo As _Byte
memo = WriteProcessMemory(hProcess, address, _Offset(value), 1, 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PokeByte = memo
End Function
Function PeekUnsignedByte~%% (process As String, address As _Unsigned _Offset)
Dim As _Offset hProcessSnap, hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim As _Byte memo
Dim As _Unsigned _Byte result
memo = ReadProcessMemory(hProcess, address, _Offset(result), 1, 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PeekUnsignedByte = result
End Function
Function PokeUnsignedByte% (process As String, address As _Unsigned _Offset, value As _Unsigned _Byte)
Dim As _Offset hProcessSnap
Dim As _Offset hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim memo As Integer
memo = WriteProcessMemory(hProcess, address, _Offset(value), 1, 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PokeUnsignedByte = memo
End Function
Function PeekInt% (process As String, address As _Unsigned _Offset)
Dim As _Offset hProcessSnap, hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim As _Byte memo
Dim As Integer result
memo = ReadProcessMemory(hProcess, address, _Offset(result), 2, 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PeekInt = result
End Function
Function PokeInt% (process As String, address As _Unsigned _Offset, value As Integer)
Dim As _Offset hProcessSnap, hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim As _Byte memo
memo = WriteProcessMemory(hProcess, address, _Offset(value), 2, 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PokeInt = memo
End Function
Function PeekUnsignedInt~% (process As String, address As _Unsigned _Offset)
Dim As _Offset hProcessSnap, hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim As _Byte memo
Dim As _Unsigned Integer result
memo = ReadProcessMemory(hProcess, address, _Offset(result), 2, 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PeekUnsignedInt = result
End Function
Function PokeUnsignedInt% (process As String, address As _Unsigned _Offset, value As _Unsigned Integer)
Dim As _Offset hProcessSnap, hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim As _Byte memo
memo = WriteProcessMemory(hProcess, address, _Offset(value), 2, 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PokeUnsignedInt = memo
End Function
Function PeekLong& (process As String, address As _Unsigned _Offset)
Dim As _Offset hProcessSnap, hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim As _Byte memo
Dim As Long result
memo = ReadProcessMemory(hProcess, address, _Offset(result), 4, 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PeekLong = result
End Function
Function PokeLong% (process As String, address As _Unsigned _Offset, value As Long)
Dim As _Offset hProcessSnap, hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim As _Byte memo
memo = WriteProcessMemory(hProcess, address, _Offset(value), 4, 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PokeLong = memo
End Function
Function PeekUnsignedLong~& (process As String, address As _Unsigned _Offset)
Dim As _Offset hProcessSnap, hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim As _Byte memo
Dim As _Unsigned Long result
memo = ReadProcessMemory(hProcess, address, _Offset(result), 4, 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PeekUnsignedLong = result
End Function
Function PokeUnsignedLong% (process As String, address As _Unsigned _Offset, value As _Unsigned Long)
Dim As _Offset hProcessSnap, hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim As _Byte memo
memo = WriteProcessMemory(hProcess, address, _Offset(value), 4, 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PokeUnsignedLong = memo
End Function
Function PeekInt64&& (process As String, address As _Unsigned _Offset)
Dim As _Offset hProcessSnap, hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim As _Byte memo
Dim As _Integer64 result
memo = ReadProcessMemory(hProcess, address, _Offset(result), 8, 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PeekInt64 = result
End Function
Function PokeInt64% (process As String, address As _Unsigned _Offset, value As _Integer64)
Dim As _Offset hProcessSnap, hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim As _Byte memo
memo = WriteProcessMemory(hProcess, address, _Offset(value), 8, 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PokeInt64 = memo
End Function
Function PeekUnsignedInt64~&& (process As String, address As _Unsigned _Offset)
Dim As _Offset hProcessSnap, hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim As _Byte memo
Dim As _Unsigned _Integer64 result
memo = ReadProcessMemory(hProcess, address, _Offset(result), 8, 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PeekUnsignedInt64 = result
End Function
Function PokeUnsignedInt64% (process As String, address As _Unsigned _Offset, value As _Unsigned _Integer64)
Dim As _Offset hProcessSnap, hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim As _Byte memo
memo = WriteProcessMemory(hProcess, address, _Offset(value), 8, 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PokeUnsignedInt64 = memo
End Function
Function PeekString$ (process As String, address As _Unsigned _Offset)
Dim As _Offset hProcessSnap, hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim As _Byte memo
Dim As String result
result = Space$(strlen(address))
memo = ReadProcessMemory(hProcess, address, _Offset(result), Len(result), 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PeekString = result
End Function
Function PokeString% (process As String, address As _Unsigned _Offset, value As String)
Dim As _Offset hProcessSnap, hProcess
Dim As PROCESSENTRY32 pe32
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32.dwSize = Len(pe32)
If Process32First(hProcessSnap, _Offset(pe32)) Then
While Process32Next(hProcessSnap, _Offset(pe32))
If _StrCmp(Left$(pe32.szExeFile, InStr(pe32.szExeFile, ".exe" + Chr$(0)) + 3), process) = 0 Then
hProcess = OpenProcess(PROCESS_VM_READ Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_WRITE Or PROCESS_VM_OPERATION, TOM_FALSE, pe32.th32ProcessID)
Dim As _Byte memo
Dim As Long lenaddress
lenaddress = strlen(address)
If Right$(value, 1) <> Chr$(0) Then
value = value + Chr$(0)
End If
If lenaddress > Len(value) Then
Dim As Long i
For i = 1 To lenaddress
value = value + Chr$(0)
Next
End If
memo = WriteProcessMemory(hProcess, address, _Offset(value), Len(value), 0)
Exit While
End If
Wend
End If
TomCloseHandle hProcessSnap
TomCloseHandle hProcess
PokeString = memo
End Function
Sub RelaunchAsAdmin
If _ShellHide(">nul 2>&1 " + Chr$(34) + "%SYSTEMROOT%\system32\cacls.exe" + Chr$(34) + " " + Chr$(34) + "%SYSTEMROOT%\system32\config\system" + Chr$(34)) = 5 Then 'not admin
Shell _Hide _DontWait "PowerShell Start-Process " + "'" + Chr$(34) + Command$(0) + Chr$(34) + "'" + " -Verb runAs"
System
End If
End Sub
'End $INCLUDE
Tread on those who tread on you