小弟只有20分 刚来 希望各位指点
unit Unit1;interfaceuses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;type
TForm1 = class(TForm)
Button1: TButton;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;var
Form1: TForm1;implementation{$R *.dfm}
//提升权限
procedure SetPrivilege;
var
OldTokenPrivileges, TokenPrivileges: TTokenPrivileges;
ReturnLength: dword;
hToken: THandle;
Luid: int64;
begin
OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES, hToken);
LookupPrivilegeValue(nil, 'SeDebugPrivilege', Luid);
TokenPrivileges.Privileges[0].luid := Luid;
TokenPrivileges.PrivilegeCount := 1;
TokenPrivileges.Privileges[0].Attributes := 0;
AdjustTokenPrivileges(hToken, False, TokenPrivileges, SizeOf(TTokenPrivileges), OldTokenPrivileges, ReturnLength);
OldTokenPrivileges.Privileges[0].luid := Luid;
OldTokenPrivileges.PrivilegeCount := 1;
OldTokenPrivileges.Privileges[0].Attributes := TokenPrivileges.Privileges[0].Attributes or SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, False, OldTokenPrivileges, ReturnLength, PTokenPrivileges(nil)^, ReturnLength);
end;
///自己随便写的函数
function Main(dwEntryPoint: Pointer): longword; stdcall;
begin
messagebox(0,'哈哈','哈哈,注入成功',MB_ok);
ExitProcess(0);
Result := 0;
end; //直接插入函数
procedure Inject(ProcessHandle: longword; EntryPoint: pointer);
var
Module, NewModule: Pointer;
Size, BytesWritten, TID: longword;
begin
Module := Pointer(GetModuleHandle(nil));
Size := PImageOptionalHeader(Pointer(integer(Module) + PImageDosHeader(Module)._lfanew + SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;
VirtualFreeEx(ProcessHandle, Module, 0, MEM_RELEASE);
NewModule := VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(ProcessHandle, NewModule, Module, Size, BytesWritten);
CreateRemoteThread(ProcessHandle, nil, 0, EntryPoint, Module, 0, TID);
end;
procedure TForm1.Button1Click(Sender: TObject);
var ProcessHandle, PID: longword;
begin
SetPrivilege; //提升权限
winexec('notepad',1); //打开记事本
GetWindowThreadProcessId(FindWindow('notepad', nil), @PID); //查找窗口ID
ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, PID); //获得窗口句柄
Inject(ProcessHandle, @Main); //注入函数
CloseHandle(ProcessHandle);
Raise Exception.Create(SysErrorMessage(GetLastError));end;end.
unit Unit1;interfaceuses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;type
TForm1 = class(TForm)
Button1: TButton;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;var
Form1: TForm1;implementation{$R *.dfm}
//提升权限
procedure SetPrivilege;
var
OldTokenPrivileges, TokenPrivileges: TTokenPrivileges;
ReturnLength: dword;
hToken: THandle;
Luid: int64;
begin
OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES, hToken);
LookupPrivilegeValue(nil, 'SeDebugPrivilege', Luid);
TokenPrivileges.Privileges[0].luid := Luid;
TokenPrivileges.PrivilegeCount := 1;
TokenPrivileges.Privileges[0].Attributes := 0;
AdjustTokenPrivileges(hToken, False, TokenPrivileges, SizeOf(TTokenPrivileges), OldTokenPrivileges, ReturnLength);
OldTokenPrivileges.Privileges[0].luid := Luid;
OldTokenPrivileges.PrivilegeCount := 1;
OldTokenPrivileges.Privileges[0].Attributes := TokenPrivileges.Privileges[0].Attributes or SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, False, OldTokenPrivileges, ReturnLength, PTokenPrivileges(nil)^, ReturnLength);
end;
///自己随便写的函数
function Main(dwEntryPoint: Pointer): longword; stdcall;
begin
messagebox(0,'哈哈','哈哈,注入成功',MB_ok);
ExitProcess(0);
Result := 0;
end; //直接插入函数
procedure Inject(ProcessHandle: longword; EntryPoint: pointer);
var
Module, NewModule: Pointer;
Size, BytesWritten, TID: longword;
begin
Module := Pointer(GetModuleHandle(nil));
Size := PImageOptionalHeader(Pointer(integer(Module) + PImageDosHeader(Module)._lfanew + SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;
VirtualFreeEx(ProcessHandle, Module, 0, MEM_RELEASE);
NewModule := VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(ProcessHandle, NewModule, Module, Size, BytesWritten);
CreateRemoteThread(ProcessHandle, nil, 0, EntryPoint, Module, 0, TID);
end;
procedure TForm1.Button1Click(Sender: TObject);
var ProcessHandle, PID: longword;
begin
SetPrivilege; //提升权限
winexec('notepad',1); //打开记事本
GetWindowThreadProcessId(FindWindow('notepad', nil), @PID); //查找窗口ID
ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, PID); //获得窗口句柄
Inject(ProcessHandle, @Main); //注入函数
CloseHandle(ProcessHandle);
Raise Exception.Create(SysErrorMessage(GetLastError));end;end.
解决方案 »
- 程序如何关闭弹出菜单?
- DELPHI怎么实现缩略图?
- TAdoDataSet导入xml的问题!
- DBCHART問題:如何在dbchart的Y軸(縱座標)左右兩邊都可顯示對應值(一個數字,這個百分比)?請大俠們指教
- 如何确定dbgrid中某个列的left值?在线等答案
- dbgrideh的标题怎么设,在线给分!!!!
- directorylistbox中的文件夹显示问题
- 当用户调整listview的column的width时会有什么事件?
- 大侠帮忙, 一个字符串怎么样才能转换成一个字节数组? 我是菜鸟只有22分了
- 请问为什么是乱码?
- 请教,在CxGrid里输入明细数据的问题?
- excel中的特殊字符在ACCESS中不识别的问题
http://blog.csdn.net/JPEXE/archive/2007/09/16/1786842.aspx
这里是C++代码,你翻译一下吧.
procedure Inject(ProcessHandle: longword; EntryPoint: pointer);
var
Module, NewModule: Pointer;
Size, BytesWritten, TID: longword;
begin
Module := Pointer(GetModuleHandle(nil));
Size := PImageOptionalHeader(Pointer(integer(Module) + PImageDosHeader(Module)._lfanew + SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;
VirtualFreeEx(ProcessHandle, Module, 0, MEM_RELEASE);
NewModule := VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(ProcessHandle, NewModule, Module, Size, BytesWritten);
CreateRemoteThread(ProcessHandle, nil, 0, EntryPoint, Module, 0, TID);
end; VirtualFreeEx(ProcessHandle, Module, 0, MEM_RELEASE); //宿主进程代码空间都被破坏掉了不报错才怪
NewModule := VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(ProcessHandle, NewModule, Module, Size, BytesWritten); //copy过去就完了?哪有这么便宜的事,代码都移位了,很多地址都需要修正,严格地说初始化啊等等很多东西都要处理CreateRemoteThread(ProcessHandle, nil, 0, EntryPoint, Module, 0, TID); //EntryPoint是本进程地址,拿到宿主进程指的是哪里根本就不知道其它的没细看
//uses TlHelp32; // 需要引用此单元// DLL远程装载WideChar版
function InjectLibW(dwProcessId: DWORD; pszLibFile: LPCWSTR): BOOL; stdcall;
var
hProcess, hThread: THandle;
pszLibFileRemote: LPWSTR;
cch, cb: Integer;
pfnThreadRtn: TFNThreadStartRoutine;
begin
Result := FALSE;
hProcess := 0;
hThread := 0;
pszLibFileRemote := nil; try
// 打开指定进程操作句柄
hProcess := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_CREATE_THREAD or
PROCESS_VM_OPERATION or PROCESS_VM_WRITE, FALSE, dwProcessId);
if (hProcess = 0) then Abort(); // 路径字符串(字节)长度
cch := 1 + lstrlenW(pszLibFile);
cb := cch * SizeOf(WideChar); // 为路径字符串分配内存
pszLibFileRemote := VirtualAllocEx(hProcess, nil, cb, MEM_COMMIT, PAGE_READWRITE);
if (pszLibFileRemote = nil) then Abort(); // 复制路径串至目标进程
if (WriteProcessMemory(hProcess, pszLibFileRemote, pszLibFile, cb, PDWORD(nil)^) = FALSE) then Abort(); // 定位LoadLibraryW函数
pfnThreadRtn := GetProcAddress(GetModuleHandle(Kernel32), 'LoadLibraryW');
if (pfnThreadRtn = nil) then Abort(); // 建立LoadLibraryW线程
hThread := CreateRemoteThread(hProcess, nil, 0, pfnThreadRtn, pszLibFileRemote, 0, PDWORD(nil)^);
if (hThread = 0) then Abort(); // 挂起等待远程线程结束
Result := (WaitForSingleObject(hThread, INFINITE) = WAIT_OBJECT_0);
except
end; if (pszLibFileRemote <> nil) then VirtualFreeEx(hProcess, pszLibFileRemote, 0, MEM_RELEASE);
if (hThread <> 0) then CloseHandle(hThread);
if (hProcess <> 0) then CloseHandle(hProcess);
end;// DLL远程装载AnsiChar版
function InjectLibA(dwProcessId: DWORD; pszLibFile: LPCSTR): BOOL; stdcall;
var
pszLibFileW: LPWSTR;
begin
GetMem(pszLibFileW, (lstrlenA(pszLibFile) + 1) * SizeOf(WideChar)); // ANSI串 -> Unicode
wvsprintfW(pszLibFileW, '%S', @pszLibFile); // 调用WideChar版函数
Result := InjectLibW(dwProcessId, pszLibFileW); FreeMem(pszLibFileW);
end;// DLL远程释放WideChar版
function EjectLibW(dwProcessId: DWORD; pszLibFile: LPCWSTR): BOOL; stdcall;
var
hthSnapshot, hProcess, hThread: THandle;
me: TModuleEntry32W;
fMoreMods: BOOL;
pfnThreadRtn: TFNThreadStartRoutine;
begin
Result := FALSE;
hthSnapshot := MAXDWORD;
hProcess := 0;
hThread := 0; try
// 快照模块列表
hthSnapshot := CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
if (hthSnapshot = MAXDWORD) then Abort(); // 寻找指定模块
me.dwSize := SizeOf(TModuleEntry32W);
fMoreMods := Module32FirstW(hthSnapshot, me);
while fMoreMods do
begin
if (lstrcmpiW(me.szModule, pszLibFile) = 0) or (lstrcmpiW(me.szExePath, pszLibFile) = 0) then Break;
fMoreMods := Module32NextW(hthSnapshot, me);
end;
if (fMoreMods = FALSE) then Abort(); // 进程操作句柄
hProcess := OpenProcess(PROCESS_QUERY_INFORMATION or
PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION, FALSE, dwProcessId);
if (hProcess = 0) then Abort(); // 定位FreeLibrary
pfnThreadRtn := GetProcAddress(GetModuleHandle(Kernel32), 'FreeLibrary');
if (pfnThreadRtn = nil) then Abort(); // 建立远程线程
hThread := CreateRemoteThread(hProcess, nil, 0, pfnThreadRtn, me.modBaseAddr, 0, PDWORD(nil)^);
if (hThread = 0) then Abort(); // 等待线程结束
Result := (WaitForSingleObject(hThread, INFINITE) = WAIT_OBJECT_0);
except
end; if (hthSnapshot <> MAXDWORD) then CloseHandle(hthSnapshot);
if (hThread <> 0) then CloseHandle(hThread);
if (hProcess <> 0) then CloseHandle(hProcess);
end;// DLL远程释放AnsiChar版
function EjectLibA(dwProcessId: DWORD; pszLibFile: LPCSTR): BOOL; stdcall;
var
pszLibFileW: LPWSTR;
begin
GetMem(pszLibFileW, (lstrlenA(pszLibFile) + 1) * SizeOf(WideChar)); // ANSI串 -> Unicode
wvsprintfW(pszLibFileW, '%S', @pszLibFile); // 调用WideChar版函数
Result := EjectLibW(dwProcessId, pszLibFileW); FreeMem(pszLibFileW);
end;
//直接插入函数
Module := Pointer(GetModuleHandle(nil)); //这句得到的地址是类似$400000之类
下面这句分配的地址你跟踪一下看看是多少应该是类似$7c0000之类
NewModule := VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
要让这两个地址一样,才行。