如何优雅的黑掉机房的控制程序

有人会觉得奇怪,为什么一会儿禁止玩游戏一会儿黑机房系统。

我也不知道,总是随便写点代码。

这次开源的软件高一高二的应该都不陌生,也就是“电子教室学生端攻击系统”。这套代码是我高一开学时开始写的,到现在也快两年了。

目前高一许多同学手上能黑控制系统的主要是两款,一款是我,也就是高二(10)班的张佑杰,所写的“电子教室学生端攻击系统”,另一款是现在高二(15)班的王新哲所写的“FuckTeacher”。论编程水平王新哲的不晓得比我高到哪里去,是直接用的Hook,而我都是在直接在用Windows系统Debug工具和API,因此逊色不少。不过我俩的程序功能却是一样的。

“电子教室学生端攻击系统”在高一流传甚广,主要流传的是5.0[adv]版本,也有同学问我要过源码,在这里我将公开目前最新的5.1版本源代码,源码遵循MIT协议,大家随便看看哈。

这款软件我准备维护到暑假,以后应该会推出6.0版本吧,这个6.0我准备就作为最终版了,该实现的也实现了。

传送门:Hack-StudentMain

GitHub加载比较慢,在博客里直接放一段5.1里新加入的功能(功能列表4:劫持程序)的代码吧。


'****************************************************************************
'作者:张佑杰
'
'名称:Form999.frm
'
'描述:劫持程序到自己窗口里的代码
'
'网站:https://www.johnzhang.xyz/
'
'邮箱:zsgsdesign@gmail.com
'
'遵循MIT协议,二次开发请注明原作者!
'****************************************************************************
Option Explicit
Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As Long, ByVal lpWindowName As Long) As Long
Private Declare Function GetWindow Lib "user32" (ByVal hwnd As Long, ByVal wCmd As Long) As Long
Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal dwFlags As Long, ByVal th32ProcessID As Long) As Long
Private Declare Function GetWindowText Lib "user32" Alias "GetWindowTextA" (ByVal hwnd As Long, ByVal lpString As String, ByVal cch As Long) As Long
Private Declare Function SetParent Lib "user32" (ByVal hWndChild As Long, ByVal hWndNewParent As Long) As Long
Private Declare Function Process32First Lib "kernel32" (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long
Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapShot As Long, lppe As PROCESSENTRY32) As Long
Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Sub CloseHandle Lib "kernel32" (ByVal hPass As Long)
Private Declare Function GetParent Lib "user32" (ByVal hwnd As Long) As Long
Private Const GW_HWNDNEXT = 2
Private old_parent As Long
Private child_hwnd As Long
Private Const TH32CS_SNAPPROCESS = &H2&

Private Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szExeFile As String * 260
End Type

Public Function GetPsPid(sProcess As String) As Long
Dim lSnapShot As Long
Dim lNextProcess As Long
Dim tPE As PROCESSENTRY32
lSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&)
If lSnapShot <> -1 Then
tPE.dwSize = Len(tPE)
lNextProcess = Process32First(lSnapShot, tPE)
Do While lNextProcess
If LCase$(sProcess) = LCase$(Left(tPE.szExeFile, InStr(1, tPE.szExeFile, Chr(0)) - 1)) Then
Dim lProcess As Long
Dim lExitCode As Long
GetPsPid = tPE.th32ProcessID
CloseHandle lProcess
End If
lNextProcess = Process32Next(lSnapShot, tPE)
Loop
CloseHandle (lSnapShot)
End If
End Function

Private Function InstanceToWnd(ByVal target_pid As Long) As Long
Dim test_hwnd As Long
Dim test_pid As Long
Dim test_thread_id As Long

' 获取窗体的句柄。
test_hwnd = FindWindow(ByVal 0&, ByVal 0&)

' 我们用 Do While 循环来找到目标窗口。
' 当已经发现目标或说 test_hwnd 不等于0,我们就跳出。
Do While test_hwnd <> 0
' 看看这个窗口是否有父窗体,如果没有,他是一个最高层的窗口。
If GetParent(test_hwnd) = 0 Then
' 这是一个最高层窗口,看看如果它具有目标实例句柄。
test_thread_id = GetWindowThreadProcessId(test_hwnd, test_pid)
If test_pid = target_pid Then
' 这是一个目标。
InstanceToWnd = test_hwnd
Exit Do
End If
End If

' 检查下一个窗口。
test_hwnd = GetWindow(test_hwnd, GW_HWNDNEXT)
Loop
End Function

Private Sub cmdDo_Click()
Dim pid As Long
Dim buf As String
Dim buf_len As Long
Dim styles As Long

' 获取PID(原来是运行的我把它修改了)。
pid = GetPsPid(txtProgram.Text)
If pid = 0 Then
MsgBox "当前没有找到这个进程!"
Exit Sub
End If

' 获取这个窗口的句柄。
child_hwnd = InstanceToWnd(pid)

'让程序呆在这个MDI窗体里!
old_parent = SetParent(child_hwnd, MDIForm1.hwnd)

Me.cmdFree.Enabled = True

End Sub

Private Sub cmdFree_Click()
If GetPsPid(txtProgram.Text) = 0 Then MsgBox "当前没有找到这个进程!", vbInformation, "提示!"
SetParent child_hwnd, old_parent
cmdDo.Enabled = True
cmdFree.Enabled = False
End Sub

Private Sub exe_Click()
cmdDo_Click
End Sub

Private Sub put_Click()
cmdFree_Click
End Sub

Private Sub Form_Load()

End Sub

同样,在MDIForm1里写如下代码:


'****************************************************************************
'作者:张佑杰
'
'名称:MDIForm1.frm
'
'描述:显示母窗体的代码
'
'网站:https://www.johnzhang.xyz/
'
'邮箱:zsgsdesign@gmail.com
'
'遵循MIT协议,二次开发请注明原作者!
'****************************************************************************
Option Explicit
Private Const WS_MAXIMIZEBOX As Long = &H10000
Private Const WS_THICKFRAME As Long = &H40000
Private Const WS_MINIMIZEBOX = &H20000
Private Const GWL_STYLE = (-16)
Private Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
Private Declare Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long) As Long
Private Sub MDIForm_Load()
Dim lWnd As Long
Me.Caption = "电子教室学生端攻击系统-v" & App.Major & "." & App.Minor
Dim lStyle As Long

lStyle = GetWindowLong(Me.hwnd, GWL_STYLE)
lStyle = lStyle And Not WS_MAXIMIZEBOX '最大化
lStyle = lStyle And Not WS_MINIMIZEBOX '最小化
lStyle = lStyle And Not WS_THICKFRAME '可改变大小的边框
SetWindowLong Me.hwnd, GWL_STYLE, lStyle
End Sub

可以试试呢,但是实际应用发现劫持功能对极域2010(机房的版本)无效,以后再说吧。

不过程序里提供的前三种依旧可行哈哈哈。

感兴趣的直接留言联系我。

留下你的评论呗...

电子邮件地址不会被公开。 必填项已用*标注