一. delphi远程注入Dll文件
- 首先,您必须找到已经在内存中运行的应用程序(EXE)的PID。以下函数将通过名称获得PID
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23function PIDbyName(ProcessName: PWideChar): DWORD;
var
ProcessSnap: Int64;
ProcessEntry32: TProcessEntry32;
begin
Result := 0;
ProcessSnap := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if ProcessSnap <> INVALID_HANDLE_VALUE then
begin
ProcessEntry32.dwSize := SizeOf(TPROCESSENTRY32);
if Process32First(ProcessSnap, ProcessEntry32) then
repeat
if lstrcmpi(ProcessEntry32.szExeFile, ProcessName) = 0 then
begin
Result := ProcessEntry32.th32ProcessID;
CloseHandle(ProcessSnap);
exit;
end;
until not Process32Next(ProcessSnap, ProcessEntry32);
Result := 0;
CloseHandle(ProcessSnap);
end;
end; - 这是32/64位应用程序的DLL注入函数 Source是DLL,Target是EXE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30function InjectDLL(Source, Target : PWideChar) : boolean;
var
dwThreadID: Cardinal;
hProc, hThread: THandle;
BytesToWrite, BytesWritten: SIZE_T;
pRemoteBuffer, pLoadLibrary: Pointer;
begin
hProc := OpenProcess(PROCESS_CREATE_THREAD or PROCESS_QUERY_INFORMATION or PROCESS_VM_OPERATION or PROCESS_VM_WRITE or PROCESS_VM_READ, False, PIDbyName(Target));
if hProc = 0 then exit(false);
try
BytesToWrite := SizeOf(WideChar) * (Length(Source) + 1);
pRemoteBuffer := VirtualAllocEx(hProc, nil, BytesToWrite, MEM_COMMIT,PAGE_READWRITE);
if pRemoteBuffer = nil then exit(false);
try
if not WriteProcessMemory(hProc, pRemoteBuffer, Source, BytesToWrite, BytesWritten) then exit(false);
pLoadLibrary := GetProcAddress(GetModuleHandle('kernel32.dll'), 'LoadLibraryW');
hThread := CreateRemoteThread(hProc, nil, 0, pLoadLibrary, pRemoteBuffer, 0, dwThreadID);
try
WaitForSingleObject(hThread, INFINITE);
finally
Result := true;
CloseHandle(hThread);
end;
finally
VirtualFreeEx(hProc, pRemoteBuffer, 0, MEM_RELEASE);
end;
finally
CloseHandle(hProc);
end;
end; - 简单的DLL用法:InjectDLL(‘testDLL.dll’, ‘yourapplication.exe’)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25library testDLL;
uses
System.SysUtils,
System.Classes,
Winapi.Windows;
procedure DLLEntryPoint(dwReason: DWord);
var
DLLHandle : DWORD;
begin
case dwReason of
DLL_PROCESS_ATTACH:
MessageBox(DLLHandle, 'Process Attach', 'Info', mb_Ok);
DLL_PROCESS_DETACH:
MessageBox(DLLHandle, 'Process Detach', 'Info', mb_Ok);
end;
end;
begin
DllProc := @DLLEntryPoint;
DllEntryPoint(DLL_PROCESS_ATTACH);
end.
二. delphi远程直接注入代码执行(非DLL插入是代码注入)
1 | //-------------------------注入代码的函数---------------------------- |
三. 远程代码或DLL注入x86/x64/Win2k/win7~Win8.1 64位全可用(最重要的隆重登场)
上面的一和二远程注入,在win7 64位系统下,不能成功注入service服务程序,下面代码实现在64位系统,可以注入系统进程,服务进程等!看关键函数NtCreateThreadEx,而在win7 64位下的注入问题http://forum.sources.ru/index.php?showtopic=313636有相应讨论
1 | program Inject; |
NtCreateThreadEx注入注意事项:
64位的进程,只能使用64位的dll注入,注入程序本身也必须编译为64位程序,32位的进程,只能使用32位的dll注入,注入程序本身编译为32位程序,不然会注入不成功!比如你把程序编译为32程序,想在win7 64位下往services.exe注入,是不会成功的,services.exe在win7 64位下是64位程序!