VB创建SYSTEM用户进程(第二种方法)

Attribute VB_Name = "modHook"
Private Declare Function NtCreateProcessEx Lib "NTDLL.DLL" (ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long, ByVal reserv As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long
Private Const PROCESS_QUERY_INFORMATION As Long = (&H400)
Private Const STANDARD_RIGHTS_REQUIRED As Long = &HF0000
Private Const SYNCHRONIZE As Long = &H100000
Private Const PROCESS_ALL_ACCESS As Long = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Private Type OBJECT_ATTRIBUTES
    Length As Long
    RootDirectory As Long
    ObjectName As Long
    Attributes As Long
    SecurityDescriptor As Long
    SecurityQualityOfService As Long
End Type

Public gclsHookInfo As clsHookInfo
Public glngProcess As Long
Public glngSystemHandle As Long

Public Function NtCreateProcessExCallback(ByRef ProcessHandle As Long, ByVal AccessMask As Long, ByVal ObjectAttributes As Long, ByVal hParentProcess As Long, ByVal InheritHandles As Long, ByVal hSection As Long, ByVal hDebugPort As Long, ByVal hExceptionPort As Long, ByVal reserv As Long) As Long
    Dim hReturn As Long
    'hParentProcess 指定为一个System用户进程的句柄,需要注意的是不要关闭此句柄
    gclsHookInfo.HookStatus False
    hReturn = NtCreateProcessEx(ProcessHandle, AccessMask, ObjectAttributes, glngSystemHandle, InheritHandles, hSection, hDebugPort, hExceptionPort, reserv)
    gclsHookInfo.HookStatus True
    NtCreateProcessExCallback = hReturn
End Function

Public Function GetFunAddr(lngFunAddr As Long) As Long
    GetFunAddr = lngFunAddr
End Function