首页 » 程序源码 » delphi源码 » delphi如何在win7中远程注入代码

delphi如何在win7中远程注入代码

一、delphi远程注入Dll文件

  1. 首先,您必须找到已经在内存中运行的应用程序(EXE)的PID。以下函数将通过名称获得PID
    function PIDbyName(ProcessName: PWideChar): DWORD;
    var
      ProcessSnap: Int64;
      ProcessEntry32: TProcessEntry32;
    begin
      Result := 0;
      ProcessSnap := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
      if ProcessSnap <> INVALID_HANDLE_VALUE then
        begin
          ProcessEntry32.dwSize := SizeOf(TPROCESSENTRY32);
          if Process32First(ProcessSnap, ProcessEntry32) then
            repeat
              if lstrcmpi(ProcessEntry32.szExeFile, ProcessName) = 0 then
                begin
                  Result := ProcessEntry32.th32ProcessID;
                  CloseHandle(ProcessSnap);
                  exit;
                end;
            until not Process32Next(ProcessSnap, ProcessEntry32);
          Result := 0;
          CloseHandle(ProcessSnap);
        end;
    end;
  2. 这是32/64位应用程序的DLL注入函数 Source是DLL,Target是EXE
    function InjectDLL(Source, Target : PWideChar) : boolean;
    var
      dwThreadID: Cardinal;
      hProc, hThread: THandle;
      BytesToWrite, BytesWritten: SIZE_T;
      pRemoteBuffer, pLoadLibrary: Pointer;
    begin
      hProc := OpenProcess(PROCESS_CREATE_THREAD or PROCESS_QUERY_INFORMATION or PROCESS_VM_OPERATION or PROCESS_VM_WRITE or PROCESS_VM_READ, False, PIDbyName(Target));
      if hProc = 0 then exit(false);
      try
        BytesToWrite := SizeOf(WideChar) * (Length(Source) + 1);
        pRemoteBuffer := VirtualAllocEx(hProc, nil, BytesToWrite, MEM_COMMIT,PAGE_READWRITE);
        if pRemoteBuffer = nil then exit(false);
        try
          if not WriteProcessMemory(hProc, pRemoteBuffer, Source, BytesToWrite, BytesWritten) then exit(false);
          pLoadLibrary := GetProcAddress(GetModuleHandle('kernel32.dll'), 'LoadLibraryW');
          hThread := CreateRemoteThread(hProc, nil, 0, pLoadLibrary, pRemoteBuffer, 0, dwThreadID);
          try
            WaitForSingleObject(hThread, INFINITE);
          finally
            Result := true;
            CloseHandle(hThread);
          end;
        finally
          VirtualFreeEx(hProc, pRemoteBuffer, 0, MEM_RELEASE);
        end;
      finally
          CloseHandle(hProc);
      end;
    end;
  3. 简单的DLL
    library testDLL;
    
    uses
      System.SysUtils,
      System.Classes,
      Winapi.Windows;
    
    {$R *.res}
    
    procedure DLLEntryPoint(dwReason: DWord);
    var
      DLLHandle : DWORD;
    begin
      case dwReason of
        DLL_PROCESS_ATTACH:
          MessageBox(DLLHandle, 'Process Attach', 'Info', mb_Ok);
        DLL_PROCESS_DETACH:
          MessageBox(DLLHandle, 'Process Detach', 'Info', mb_Ok);
      end;
    end;
    
    begin
      DllProc := @DLLEntryPoint;
      DllEntryPoint(DLL_PROCESS_ATTACH);
    end.

用法:InjectDLL(‘testDLL.dll’, ‘yourapplication.exe’)

二、delphi远程直接注入代码执行(非DLL插入是代码注入)

//-------------------------注入代码的函数----------------------------  
{参数说明: 
InHWND:被注入的窗口句柄 
Func:注入的函数的指针 
Param:参数的指针 
ParamSize:参数的大小 
}  
procedure InjectFunc(InHWND: HWND; Func: Pointer; Param: Pointer; ParamSize: DWORD);  
var  
    hProcess_N: THandle;  
    ThreadAdd, ParamAdd: Pointer;  
    hThread: THandle;  
    ThreadID: DWORD;  
    lpNumberOfBytes:DWORD;  
begin  
    GetWindowThreadProcessId(InHWND, @ThreadID);    //获得窗口ID  
    hProcess_N := OpenProcess(PROCESS_ALL_ACCESS, False, ThreadID);//打开被注入的进程  
    ThreadAdd := VirtualAllocEx(hProcess_N, nil, 4096, MEM_COMMIT, PAGE_READWRITE);    //申请写入代码空间  
    WriteProcessMemory(hProcess_N, ThreadAdd, Func, 4096, lpNumberOfBytes); //写入函数地址  
    ParamAdd := VirtualAllocEx(hProcess_N, nil, ParamSize, MEM_COMMIT, PAGE_READWRITE);    //申请写入代码参数空间  
    WriteProcessMemory(hProcess_N, ParamAdd, Param, ParamSize, lpNumberOfBytes); //写入参数地址  
    hThread := CreateRemoteThread(hProcess_N, nil, 0, ThreadAdd, ParamAdd, 0, lpNumberOfBytes); //创建远程线程  
    ResumeThread(hThread); //直接运行线程  
    CloseHandle(hThread); //关闭线程  
    VirtualFreeEx(hProcess_N, ThreadAdd, 4096, MEM_RELEASE);  
    VirtualFreeEx(hProcess_N, ParamAdd, ParamSize, MEM_RELEASE); //释放申请的地址  
    CloseHandle(hProcess_N); //关闭打开的句柄  
end;  
//-----------------------------定义一个参数类型-----------------------  
type  
    TPickCallParam = packed record  
      ax, ay: single;  
    end;  
    PPickCallParam = ^TPickCallParam;    //指向结构的指针(C中叫这种方式的数据应该叫结构体吧)  
procedure runCall(p:PPickCallParam);stdcall;    // 走路call  
var  
addres,addres1,addres2:pointer;  
x,y:single;  
begin  
      addres:=pointer($0045ec00);  
      addres1:=pointer($00462620);  
      addres2:=pointer($0045f000);  
      x:=p^.ax;              //目的地X坐标  
      y:=p^.ay;            //目的地Y坐标  
      asm  
      pushad  
        mov      eax, dword ptr [$8f207c]  
        mov      eax, dword ptr [eax+$1C]  
        mov      esi, dword ptr [eax+$20]  
        mov      ecx, dword ptr [esi+$ba0]  
        push      1  
        call      addres  
        mov      edi, eax  
        lea      eax, dword ptr [esp+$18]  
        push      eax  
        push      0  
        mov      ecx, edi  
        call      addres1  
        push      0  
        push      1  
        push      edi  
        mov      ecx, dword ptr [esi+$ba0]  
        push      1  
        call      addres2  
        mov      eax, dword ptr [$8f207c]  
        mov      eax, dword ptr [eax+$1C]  
        mov      eax, dword ptr [eax+$20]  
        mov      eax, dword ptr [eax+$ba0]  
        mov      eax, dword ptr [eax+$30]  
        mov      ecx, dword ptr [eax+4]  
        mov      eax, x  
        mov      [ecx+$20], eax  
        mov      eax, y  
        mov      [ecx+$28], eax  
      popad  
      end;  
END;  
procedure TForm1.Button1Click(Sender: TObject);//在控件中做个按钮 测试  
var  
      CallParam:TPickCallParam;  
begin;  
    getmem(pname,33);  
    myhwnd := FindWindow(nil,'Element Client');{查找窗口句柄}  
    GetWindowThreadProcessId(myhwnd, aproc); {得到窗口ID}  
    phnd := OpenProcess(PROCESS_VM_READ , False, aproc);{以完全访问权限打开进程句柄}  
    if (phnd<>0 ) then  
    begin  
      CallParam.ax:= 1860.0;    //给注入代码函数赋值  
      CallParam.ay:=120.0;      //给注入代码函数赋值  
      InjectFunc(myhWnd,@runCall,@CallParam,SizeOf(CallParam)); //运行注入代码函数  
      sleep(100);  
      CloseHandle(PHND) //关闭进程  
    end;  
end;    

三、远程代码或DLL注入x86/x64/Win2k/win7~Win8.1 64位全可用(最重要的隆重登场)

上面的一和二远程注入,在win7 64位系统下,不能成功注入service服务程序,下面代码实现在64位系统,可以注入系统进程,服务进程等!看关键函数NtCreateThreadEx,而在win7 64位下的注入问题http://forum.sources.ru/index.php?showtopic=313636有相应讨论

program Inject;
 
{$APPTYPE CONSOLE}
 
 
{$IF CompilerVersion >= 21.0}
{$WEAKLINKRTTI ON}
{$RTTI EXPLICIT METHODS([]) PROPERTIES([]) FIELDS([])}
{$IFEND}
 
uses
 Winapi.Windows;
 
Type
 NtCreateThreadExProc = Function(Var hThread:THandle; Access:DWORD; Attributes:Pointer; hProcess:THandle; pStart:Pointer; pParameter:Pointer; Suspended:BOOL; StackSize, u1, u2:DWORD; Unknown:Pointer):DWORD; stdcall; 
 
 
Function CheckOs():Boolean;
Var
 lpVersionInformation :TOSVersionInfoW;
begin
 Result := False;
 if GetVersionExW(lpVersionInformation) then
 begin
 if lpVersionInformation.dwPlatformId = VER_PLATFORM_WIN32_NT Then
 begin
 if (lpVersionInformation.dwMajorVersion < 6) then
 begin
 Result := True;
 end; 
 end; 
 end;
end;
 
Function EnableDebugPrivilege():Boolean;
Var
 hToKen :THandle;
 TokenPri :TTokenPrivileges;
begin
 Result := False;
 if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES, hToKen)) Then
 begin
 TokenPri.PrivilegeCount := 1;
 If LookupPrivilegeValueW(Nil, 'SeDebugPrivilege', TokenPri.Privileges[0].Luid) Then
 begin
 TokenPri.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
 Result := AdjustTokenPrivileges(hToken, False, TokenPri, SizeOf(TTokenPrivileges), Nil, PDWORD(Nil)^);
 end Else Writeln('LookupPrivilege Error');
 CloseHandle(hToKen);
 end;
end;
 
Function RemoteThread(hProcess:THandle; pThreadProc:Pointer; pRemote:Pointer):THandle;
Label NtCreate, Create;
Var
 pFunc :Pointer;
 hThread :THandle;
begin
 hThread := 0;
 if Not CheckOs() then //根据系统版本来选择使用的API
 begin
 NtCreate:
 pFunc := GetProcAddress(LoadLibraryW('ntdll.dll'), 'NtCreateThreadEx');
 if pFunc = Nil then Goto Create; 
 NtCreateThreadExProc(pFunc)(hThread, $1FFFFF, Nil, hProcess, pThreadProc, pRemote, False, 0, 0, 0, Nil);
 if hThread = 0 then Goto Create;
 end Else
 begin
 Create:
 hThread := CreateRemoteThread(hProcess, Nil, 0, pThreadProc, pRemote, 0, PDWORD(Nil)^); 
 end;
 Writeln('RemoteThread Ok!');
 Result := hThread;
end; 
 
Function InjectDll2Pid(szPath:PWideChar; uPID:DWORD):Boolean;
Var
 hProcess :THandle;
 hThread :THandle;
 szRemote :PWideChar;
 uSize :SIZE_T;
 uWrite :SIZE_T;
 pStartAddr:Pointer;
begin
 Result := False;
 if EnableDebugPrivilege then
 begin //先提升下进程的权限
 hProcess := OpenProcess(PROCESS_ALL_ACCESS, false, uPID);
 if hProcess > 0 then
 begin
 uSize := lstrlenW(szPath) * 2 + 4;
 szRemote := VirtualAllocEx(hProcess, Nil, uSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 if WriteProcessMemory(hProcess, szRemote, szPath, uSize, uWrite) And (uWrite = uSize) then
 begin
 pStartAddr := GetProcAddress(LoadLibrary('Kernel32.dll'), 'LoadLibraryW');
 hThread := RemoteThread(hProcess, pStartAddr, szRemote);
 Result := hThread <> 0;
 CloseHandle(hThread);
 end Else
 begin
 Writeln('WriteMemory Error');
 end; 
 end; 
 end; 
end; 
 
Function StrToInt(S: String): Integer;
Var
 E: Integer;
Begin
 Val(S, Result, E);
End;
 
begin
 InjectDll2Pid(PWideChar(ParamStr(2)), StrToInt(ParamStr(1)));
end.

NtCreateThreadEx注入注意事项:

百脑问
此处内容已经被作者无情的隐藏,请输入验证码查看内容
验证码:
请关注“百脑问官方公众号,回复关键字“118”,获取验证码。【注】用微信扫描右侧二维码就可以关注“百脑问”官方公众号。

未经允许不得转载:百脑问 » delphi如何在win7中远程注入代码

×

感谢您的支持,我们会一直保持!

扫码支持
请土豪扫码随意打赏

打开微信扫一扫,即可进行扫码打赏哦

分享从这里开始,精彩与您同在

分享到:更多 ()

评论 抢沙发

评论前必须登录!

百脑问 创新坚持 杰然不同

赞助我们联系我们
数据查询次数:18 消耗时间:0.547 秒, 使用内存: 21.03MB
您好,有什么可以帮您吗!