Dim buf As Long
     buf = &H75
     WriteProcessMemory hProcess, ByVal &H40101A, buf, 1, 0&

菜鸟进来听课

正确。谢谢！能不能说明为什么？

WriteProcessMemory hProcess, ByVal &H40101A, [COLOR="Red"]ByVal[/COLOR] &H75, 1, 0&

lpBuffer是指针，不应该用ByVal

还是有点糊涂，ByVal &H40101A, &H75   前面的&H40101A就必须byval，后面的&H75就必须不能。从函数的参数上看不出来区别，遇到其它的函数时就不知道怎么写了。
在网上看到有用VB写Dubug Api的，先GetWindowThreadProcessId，再OpenProcess，
然后SuspendThread，接着GetThreadContext，设置Regs.Dr0和Regs.Dr7，
再SetThreadContext，ResumeThread，就能在设置的Dr0地址中断。
我模仿写了一段，发现VB本身不能识别Context结构，别人写的程序并没有定义Context结构啊？
在SuspendThread的时候目标程序好像也并没有中断暂停。
是不是VB不能写Debug Api？不好意思，我对其它语言不熟，写起来很吃力，只好用VB了。
ASM功能也很强大，但是还要自己写文本框等，感觉也挺难的。

只要是Win32Api用VB都可以写，但会比较吃力，没有现成的Context结构的定义，要自己定义，建议用C写。

lpBaseAddress 和 lpBuffer 都是指针，&H40101A 是指针的值，所以要ByVal按值传递，&H75是Buffer的内容，不是指针的值，所以要按引用传递

暂时放弃了VB编程，因为Context结构太难定义，不同的Flags有不同的定义，搞不定。
正在学习用asm编写loader，想实现在某个EIP上修改标志位的值以实现跳转的改变，这样就可以躲过一些文件校验。
按照插入int3的方法下断点好像会被文件校验检出，现在我是用在Dr0下硬件断点，文件校验可能检不出来。
不知道Dr7的硬件执行、硬件写入、硬件访问（WRE标志）断点应该怎么设置？
查到Dr7的17位开始表示WRE，是不是可以用or context.dr7,10000之类的方法置17位为1？

某年某个调试器的某些代码声明代码，可以参考下：

Public Const EXCEPTION_MAXIMUM_PARAMETERS = 15
Public Const INFINITE = &HFFFF
Public Const THREAD_ALL_ACCESS = &H1F03FF
Public Const PROCESS_ALL_ACCESS = &H1F0FFF
Public Const SIZE_OF_80387_REGISTERS           As Long = 80
Public Const MAXIMUM_SUPPORTED_EXTENSION       As Long = 512

Public Enum DebugEventTypes
    EXCEPTION_DEBUG_EVENT = 1&
    CREATE_THREAD_DEBUG_EVENT = 2&
    CREATE_PROCESS_DEBUG_EVENT = 3&
    EXIT_THREAD_DEBUG_EVENT = 4&
    EXIT_PROCESS_DEBUG_EVENT = 5&
    LOAD_DLL_DEBUG_EVENT = 6&
    UNLOAD_DLL_DEBUG_EVENT = 7&
    OUTPUT_DEBUG_STRING_EVENT = 8&
    RIP_EVENT = 9&
End Enum

Public Enum DebugStates
   DBG_CONTINUE = &H10002
   DBG_TERMINATE_THREAD = &H40010003
   DBG_TERMINATE_PROCESS = &H40010004
   DBG_CONTROL_C = &H40010005
   DBG_CONTROL_BREAK = &H40010008
   DBG_EXCEPTION_NOT_HANDLED = &H80010001
End Enum

Public Enum ExceptionCodes
    EXCEPTION_GUARD_PAGE_VIOLATION = &H80000001
    EXCEPTION_DATATYPE_MISALIGNMENT = &H80000002
    EXCEPTION_BREAKPOINT = &H80000003
    EXCEPTION_SINGLE_STEP = &H80000004
    EXCEPTION_ACCESS_VIOLATION = &HC0000005
    EXCEPTION_IN_PAGE_ERROR = &HC0000006
    EXCEPTION_INVALID_HANDLE = &HC0000008
    EXCEPTION_NO_MEMORY = &HC0000017
    EXCEPTION_ILLEGAL_INSTRUCTION = &HC000001D
    EXCEPTION_NONCONTINUABLE_EXCEPTION = &HC0000025
    EXCEPTION_INVALID_DISPOSITION = &HC0000026
    EXCEPTION_ARRAY_BOUNDS_EXCEEDED = &HC000008C
    EXCEPTION_FLOAT_DENORMAL_OPERAND = &HC000008D
    EXCEPTION_FLOAT_DIVIDE_BY_ZERO = &HC000008E
    EXCEPTION_FLOAT_INEXACT_RESULT = &HC000008F
    EXCEPTION_FLOAT_INVALID_OPERATION = &HC0000090
    EXCEPTION_FLOAT_OVERFLOW = &HC0000091
    EXCEPTION_FLOAT_STACK_CHECK = &HC0000092
    EXCEPTION_FLOAT_UNDERFLOW = &HC0000093
    EXCEPTION_INTEGER_DIVIDE_BY_ZERO = &HC0000094
    EXCEPTION_INTEGER_OVERFLOW = &HC0000095
    EXCEPTION_PRIVILEGED_INSTRUCTION = &HC0000096
    EXCEPTION_STACK_OVERFLOW = &HC00000FD
    EXCEPTION_CONTROL_C_EXIT = &HC000013A
    EXCEPTION_DLL_INIT_FAILED = &HC0000142
End Enum

Public Enum ExceptionFlags
    EXCEPTION_CONTINUABLE = 0
    EXCEPTION_NONCONTINUABLE = 1   '\\ Noncontinuable exception
End Enum

Public Enum ProcessCreationFlags
   DEBUG_PROCESS = &H1
   DEBUG_ONLY_THIS_PROCESS = &H2
   CREATE_SUSPENDED = &H4
   DETACHED_PROCESS = &H8
   CREATE_NEW_CONSOLE = &H10
   NORMAL_PRIORITY_CLASS = &H20
   IDLE_PRIORITY_CLASS = &H40
   HIGH_PRIORITY_CLASS = &H80
   REALTIME_PRIORITY_CLASS = &H100
   CREATE_NEW_PROCESS_GROUP = &H200
   CREATE_UNICODE_ENVIRONMENT = &H400
   CREATE_SEPARATE_WOW_VDM = &H800
   CREATE_SHARED_WOW_VDM = &H1000
   CREATE_FORCEDOS = &H2000
   CREATE_DEFAULT_ERROR_MODE = &H4000000
   CREATE_NO_WINDOW = &H8000000
End Enum

Public Type REGTYPE
    REG_Kind            As Byte  ' ;1=8 bits \ 2=16 bits \ 3=32 bits \ 4=MMX \ 5=XMM \ 6=Float stack \ 7=Segment \ 8=Debug \ 9=Control \ 10=Test
    REG_Ptr_Kind        As Byte  ' ;1=Byte PTR \ 2=Word PTR \ 3=Dword PTR \ 4=Qword PTR \ 5=mmword ptr \ 6=xmmword ptr \ 7=FWord PTR \ 8=tbyte ptr \ 9=null ptr (LEA)
    REG_Type            As Byte  ' ;0-7= direct register index \ 16 register=byte && 7 \ 32 register=(byte && 63)/8 \ 64=[32/16 address only] \ 128=[using x86 relatives]
    REG_BaseAsReg       As Byte  ' ;1=Register only (BASE exposed)!
End Type

Public Type REGSTRUCT
    SEG_TYPE            As Long
    BASE                As Long
    Index               As Long
    SCALE               As Long
    DISPLACEMENTS       As Long
    DISPLACEMENT_TYPE   As Long
    REG_Kind            As REGTYPE
    PTR_TYPE            As Long
End Type

Public Type IMMSTRUCT
    VALUE_LO            As Long
    VALUE_HI            As Long
    VALUE_TYPE          As Long     ' 1=Byte \ 2=Word \ 4=Dword \ 8=ByteToWord \ 16=ByteToDword \ 32=AbsJump \ 64=ShortJump \ 128=LongJump
End Type

Public Type DisAsmStruct
    Instruction_Prefix  As Long
    Instruction         As Long
    Reg1                As REGSTRUCT
    Reg2                As REGSTRUCT
    Reg_Reg             As Long '1=from ptr
    Imm                 As IMMSTRUCT
    Instruction_Length  As Long
End Type

Public Type PROCESS_INFORMATION
    hProcess            As Long
    hThread             As Long
    dwProcessId         As Long
    dwThreadId          As Long
End Type

Public Type STARTUPINFO
    cb                  As Long
    lpReserved          As String
    lpDesktop           As String
    lpTitle             As String
    dwX                 As Long
    dwY                 As Long
    dwXSize             As Long
    dwYSize             As Long
    dwXCountChars       As Long
    dwYCountChars       As Long
    dwFillAttribute     As Long
    dwFlags             As Long
    wShowWindow         As Integer
    cbReserved2         As Integer
    lpReserved2         As Long
    hStdInput           As Long
    hStdOutput          As Long
    hStdError           As Long
End Type

Public Type DEBUG_EVENT_HEADER
   dwDebugEventCode         As Long
   dwProcessId              As Long
   dwThreadId               As Long
   dwData(1023)             As Byte
End Type

Public Type EXCEPTION_RECORD
    ExceptionCode       As Long
    ExceptionFlags      As Long
    ExceptionRecord     As Long
    ExceptionAddress    As Long
    NumberParameters    As Long
    ExceptionInformation(EXCEPTION_MAXIMUM_PARAMETERS - 1) As Long
End Type

Public Type EXCEPTION_DEBUG_INFO
    ExceptionRecord         As EXCEPTION_RECORD
    dwFirstChance           As Long
End Type

Public Type CREATE_PROCESS_DEBUG_INFO
    hFile                   As Long
    hProcess                As Long
    hThread                 As Long
    lpBaseOfImage           As Long
    dwDebugInfoFileOffset   As Long
    nDebugInfoSize          As Long
    lpThreadLocalBase       As Long
    lpStartAddress          As Long
    lpImageName             As Long
    fUnicode                As Integer
End Type

Public Type EXIT_PROCESS_DEBUG_INFO
    dwExitCode              As Long
End Type

Public Type CREATE_THREAD_DEBUG_INFO
    hThread                 As Long
    lpThreadLocalBase       As Long
    lpStartAddress          As Long
End Type

Public Type EXIT_THREAD_DEBUG_INFO
    dwExitCode              As Long
End Type

Public Type LOAD_DLL_DEBUG_INFO
    hFile                   As Long
    lpBaseOfDll             As Long
    dwDebugInfoFileOffset   As Long
    nDebugInfoSize          As Long
    lpImageName             As Long
    fUnicode                As Integer
End Type

Public Type UNLOAD_DLL_DEBUG_INFO
    lpBaseOfDll             As Long
End Type

Public Type OUTPUT_DEBUG_STRING_INFO
    lpDebugStringData       As Long
    fUnicode                As Integer
    nDebugStringLength      As Integer
End Type

Public Type RIP_INFO
    dwError                 As Long
    dwType                  As Long
End Type

Public Type FLOATING_SAVE_AREA
    ControlWord     As Long
    StatusWord      As Long
    TagWord         As Long
    ErrorOffset     As Long
    ErrorSelector   As Long
    DataOffset      As Long
    DataSelector    As Long
    RegisterArea(SIZE_OF_80387_REGISTERS - 1) As Byte
    Cr0NpxState     As Long
End Type

Public Type CONTEXT
    ContextFlags    As Long
    Dr0             As Long
    Dr1             As Long
    Dr2             As Long
    Dr3             As Long
    Dr6             As Long
    Dr7             As Long
    FloatSave       As FLOATING_SAVE_AREA
    SegGs           As Long
    SegFs           As Long
    SegEs           As Long
    SegDs           As Long
    Edi             As Long
    Esi             As Long
    Ebx             As Long
    Edx             As Long
    Ecx             As Long
    Eax             As Long
    Ebp             As Long
    Eip             As Long
    SegCs           As Long
    EFlags          As Long
    Esp             As Long
    SegSs           As Long
    ExtendedRegisters(MAXIMUM_SUPPORTED_EXTENSION - 1) As Byte
End Type

'================================================
'                   DECLARE
'================================================

Declare Function UnsignedAdd Lib "unsigned" (ByVal v1 As Long, ByVal v2 As Long) As Long
Declare Function UnsignedSub Lib "unsigned" (ByVal v1 As Long, ByVal v2 As Long) As Long
Declare Function UnsignedDiv Lib "unsigned" (ByVal v1 As Long, ByVal v2 As Long) As Long
Declare Function UnsignedScale Lib "unsigned" (ByVal v1 As Long, ByVal v2 As Long) As Long

Declare Sub FatalExit Lib "kernel32" (ByVal ExitCode As Long)
Declare Sub DebugBreak Lib "kernel32" ()
Declare Sub DebugBreakProcess Lib "kernel32" (ByVal hProcess As Long)
Declare Function IsDebuggerPresent Lib "kernel32" () As Long
Declare Function DebugActiveProcess Lib "kernel32" (ByVal dwProcessId As Long) As Long
Declare Function DebugActiveProcessStop Lib "kernel32" (ByVal dwProcessId As Long) As Long
Declare Function DebugSetProcessKillOnExit Lib "kernel32" (ByVal KillOnExit As Long) As Long
Declare Function CheckRemoteDebuggerPresent Lib "kernel32" (ByVal hProcess As Long, ByRef pbDebuggerPresent As Long) As Long
Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Declare Function WaitForInputIdle Lib "User32" (ByVal hProcess As Long, ByVal dwMilliseconds As Long) As Long

Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Declare Sub OutputDebugString Lib "kernel32" Alias "OutputDebugStringA" (ByVal lpOutputString As String)
Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
Declare Function WaitForDebugEvent Lib "kernel32" (lpDebugEvent As Any, ByVal dwMilliseconds As Long) As Long
Declare Function ContinueDebugEvent Lib "kernel32" (ByVal dwProcessId As Long, ByVal dwThreadId As Long, ByVal dwContinueStatus As Long) As Long
Declare Function FlushInstructionCache Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, ByVal dwSize As Long) As Long
Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long
Declare Function GetModuleFileNameEx Lib "PSAPI" Alias "GetModuleFileNameExA" (ByVal hProcess As Long, ByVal hModule As Long, ByVal lpFileName As String, nSize As Long) As Boolean
Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Declare Function OpenThread Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwThreadId As Long) As Long
Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Declare Function FreeLibrary Lib "kernel32" (ByVal hLibModule As Long) As Long
Declare Function ResumeThread Lib "kernel32" (ByVal hThread As Long) As Long
Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long
Declare Function SuspendThread Lib "kernel32" (ByVal hThread As Long) As Long
Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Declare Function VirtualProtect Lib "kernel32" (lpAddress As Any, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Declare Function GetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT) As Long
Declare Function SetThreadContext Lib "kernel32" (ByVal hThread As Long, lpContext As CONTEXT) As Long
Declare Function GetModuleFileName Lib "kernel32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFileName As String, ByVal nSize As Long) As Long
Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Declare Function DisAssemble Lib "DisAsm" (Data As Any, ByVal BaseAddress As Long, DisAsmString As Any, DisAsmS As Any, ByVal DisasmOpt As Long) As Long
Declare Function GetCursorPos Lib "User32" (lpPoint As POINTAPI) As Long
Declare Function ScreenToClient Lib "User32" (ByVal hwnd As Long, lpPoint As POINTAPI) As Long
Declare Function VirtualProtectEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Declare Function GetFileAttributes Lib "kernel32" Alias "GetFileAttributesA" (ByVal lpFileName As String) As Long

看看,凑齐帖子数量 预备发帖..

可以叠加的吗?

太……强了。先收藏。VB真的不方便。非常感谢！

能写入文字和数字吗