下面是注入的过程的代码,博主在Windows XP/2000测试通过,由于我没有Windows 2003/Vista,故没有测试。(2009-4-15 01:20 Windows 2003 Server下测试也已通过)
----此篇文章来自《深入WINDOWS编程》
unit toDllUnt; interface uses Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls, tlhelp32; type TtoDllFrm = class(TForm) Button1: TButton; procedure Button1Click(Sender: TObject); private { Private declarations } public { Public declarations } end; var toDllFrm: TtoDllFrm; implementation {$R *.DFM} procedure FindAProcess(const AFilename: string; const PathMatch: Boolean; var ProcessID: DWORD); var lppe: TProcessEntry32; SsHandle: Thandle; FoundAProc, FoundOK: boolean; begin ProcessID :=0; SsHandle := CreateToolHelp32SnapShot(TH32CS_SnapProcess, 0); FoundAProc := Process32First(Sshandle, lppe); while FoundAProc do begin if PathMatch then FoundOK := AnsiStricomp(lppe.szExefile, PChar(AFilename)) = 0 else FoundOK := AnsiStricomp(PChar(ExtractFilename(lppe.szExefile)), PChar(ExtractFilename(AFilename))) = 0; if FoundOK then begin ProcessID := lppe.th32ProcessID; break; end; FoundAProc := Process32Next(SsHandle, lppe); end; CloseHandle(SsHandle); end; function EnabledDebugPrivilege(const bEnabled: Boolean): Boolean; var hToken: THandle; tp: TOKEN_PRIVILEGES; a: DWORD; const SE_DEBUG_NAME = 'SeDebugPrivilege'; begin Result := False; if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken)) then begin tp.PrivilegeCount := 1; LookupPrivilegeValue(nil, SE_DEBUG_NAME, tp.Privileges[0].Luid); if bEnabled then tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED else tp.Privileges[0].Attributes := 0; a := 0; AdjustTokenPrivileges(hToken, False, tp, SizeOf(tp), nil, a); Result := GetLastError = ERROR_SUCCESS; CloseHandle(hToken); end; end; function AttachToProcess(const HostFile, GuestFile: string; const PID: DWORD = 0): DWORD; var hRemoteProcess: THandle; dwRemoteProcessId: DWORD; cb: DWORD; pszLibFileRemote: Pointer; iReturnCode: Boolean; TempVar: DWORD; pfnStartAddr: TFNThreadStartRoutine; pszLibAFilename: PwideChar; begin Result := 0; EnabledDebugPrivilege(True); Getmem(pszLibAFilename, Length(GuestFile) * 2 + 1); StringToWideChar(GuestFile, pszLibAFilename, Length(GuestFile) * 2 + 1); if PID > 0 then dwRemoteProcessID := PID else FindAProcess(HostFile, False, dwRemoteProcessID); hRemoteProcess := OpenProcess(PROCESS_CREATE_THREAD + {允许远程创建线程} PROCESS_VM_OPERATION + {允许远程VM操作} PROCESS_VM_WRITE, {允许远程VM写} FALSE, dwRemoteProcessId); cb := (1 + lstrlenW(pszLibAFilename)) * sizeof(WCHAR); pszLibFileRemote := PWIDESTRING(VirtualAllocEx(hRemoteProcess, nil, cb, MEM_COMMIT, PAGE_READWRITE)); TempVar := 0; iReturnCode := WriteProcessMemory(hRemoteProcess, pszLibFileRemote, pszLibAFilename, cb, TempVar); if iReturnCode then begin pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'), 'LoadLibraryW'); TempVar := 0; Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr, pszLibFileRemote, 0, TempVar); end; Freemem(pszLibAFilename); end; procedure TtoDllFrm.Button1Click(Sender: TObject); begin AttachToProcess('Explorer.exe', ExtractFilePath(paramstr(0))+'Project2.dll'); //其中Project2.dll是想要注入到Explorer.EXE的进程,Explorer.exe也可以是别的进程. //dll中只能执行API函数,自定义函数也不能执行,故要实现某些功能的话,请直接写在dll的begin....end.之间 end; end.
2280
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
