uses tlhelp32;
type
///////////////////////////////////////////////////////////////////////////
TLPFN_KernelBaseGetGlobalData=procedure ;stdcall ;
///////////////////////////////////////////////////////////////////////////
TForm1 = class(TForm)
Button1: TButton;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;var
Form1: TForm1;implementation{$R *.dfm}
//查找要注入的进程,返回进程ID,这个函数测试的时候返回是正常的,所以可以跳过
function findprocess(const afilename:string;const pathmatch:Boolean  DWORD ;
var
ippe:TProcessEntry32 ;
sshandle:THandle ;
foundaproc,foundok:Boolean;
begin
Result :=0;
ippe.dwSize :=SizeOf (ippe);
sshandle :=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0 );
foundaproc :=Process32First(sshandle ,ippe);
while foundaproc do
begin
if pathmatch then
foundok :=AnsiStrIComp(ippe.szExeFile ,PChar(afilename))=0
else
foundok :=AnsiStrIComp(PChar(ExtractFilename(ippe.szExeFile )),PChar (ExtractFileName (afilename )))=0 ;
if foundok then
begin
Result :=ippe.th32ProcessID;
Break ;
end;
foundaproc :=Process32Next(sshandle ,ippe);
end;
CloseHandle(sshandle );
end;
/////////////////////////////////////////////////////////////////////////////////
//提权,也是正确的。
function enabledebugprivilege(const benable:boolean):Boolean ;
var
htoken :THandle;
tp:TOKEN_PRIVILEGES ;
a:DWORD ;
const
se_debug_name='sedebugprivilege';
begin
Result :=False;
if (OpenProcessToken(GetCurrentProcess ,TOKEN_ADJUST_PRIVILEGES ,htoken )) then
begin
tp.PrivilegeCount :=1;
LookupPrivilegeValue(nil,se_debug_name ,tp.Privileges[0].luid);
if benable then
tp.Privileges[0].Attributes :=SE_PRIVILEGE_ENABLED
else
tp.Privileges[0].Attributes :=0;
a:=0;
AdjustTokenPrivileges(htoken,False,tp,SizeOf(tp),nil,a) ;
result:=GetLastError =ERROR_SUCCESS ;
CloseHandle(htoken) ;
end;
end;
//主要实现代码,错误出现在这里
function attachtoprocess(const hostfile,guestfile:string ;const pid :DWORD =0):DWORD;
var
hremoteprocess,hKernelBase:hmodule;
dwremoteprocessid:DWORD;
cb:DWORD;
pszlibfileremote:Pointer;
ireturncode:Boolean;
tempvar:DWORD ;
s:string;
pfnstartaddr:TFNThreadStartRoutine ;
pszlibafilename:PWideChar ;
pKernelBaseGetGlobalData:TLPFN_KernelBaseGetGlobalData;
pGlobalData,pmisc:PInteger ;
begin
pKernelBaseGetGlobalData:=nil;
pGlobalData :=nil;
Result:=0;
enabledebugprivilege(true);
GetMem(pszlibafilename ,length(guestfile)*2+1);
StringToWideChar(guestfile ,pszlibafilename,length(guestfile)*2+1 );
if pid >0 then
dwremoteprocessid :=pid
else
dwremoteprocessid := findprocess(hostfile,False );
hremoteprocess :=OpenProcess(PROCESS_CREATE_THREAD + PROCESS_VM_OPERATION + PROCESS_VM_WRITE,False ,dwremoteprocessid );
cb:=(1+lstrlenw(pszlibafilename ))*sizeof(wchar) ;
pszlibfileremote :=pwidestring(VirtualAllocEx(hremoteprocess ,nil,cb,MEM_COMMIT ,PAGE_READWRITE )) ;
tempvar:=0;
ireturncode :=WriteProcessMemory (hremoteprocess ,pszlibfileremote ,pszlibafilename ,cb, nativeuint(tempvar ));
if ireturncode then
begin
hKernelBase := LoadLibraryw('KernelBase');
pKernelBaseGetGlobalData:= TLPFN_KernelBaseGetGlobalData(GetProcAddress(hKernelBase,'KernelBaseGetGlobalData'));
pmisc:=@pKernelBaseGetGlobalData;
tempvar :=0;
pmisc:=Pointer ($5c+integer(pmisc));
//下面的这步出错;说access violation at address 00511c1f in module'XX.exe'. write of address 747f6c7d,pmisc的地址是747f6c7d.
pmisc^:=1;
pfnstartaddr:=getprocaddress(getmodulehandle('kernel32'),loadlibrary);
Result :=CreateRemoteThread(hremoteprocess ,nil,0,pMisc,pszlibfileremote ,0,tempvar );
s:=IntToStr (GetLastError );
ShowMessage(s);
end;
FreeMem(pszlibafilename ) ;
end;procedure TForm1.Button1Click(Sender: TObject);
begin
attachtoprocess('explorer.exe',ExtractFilePath(ParamStr(0))+'destdll.dll');
怎么解决???
希望大家说说看法
看雪论坛原帖http://bbs.pediy.com/showthread.php?t=154102
type
///////////////////////////////////////////////////////////////////////////
TLPFN_KernelBaseGetGlobalData=procedure ;stdcall ;
///////////////////////////////////////////////////////////////////////////
TForm1 = class(TForm)
Button1: TButton;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;var
Form1: TForm1;implementation{$R *.dfm}
//查找要注入的进程,返回进程ID,这个函数测试的时候返回是正常的,所以可以跳过
function findprocess(const afilename:string;const pathmatch:Boolean  DWORD ;
var
ippe:TProcessEntry32 ;
sshandle:THandle ;
foundaproc,foundok:Boolean;
begin
Result :=0;
ippe.dwSize :=SizeOf (ippe);
sshandle :=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0 );
foundaproc :=Process32First(sshandle ,ippe);
while foundaproc do
begin
if pathmatch then
foundok :=AnsiStrIComp(ippe.szExeFile ,PChar(afilename))=0
else
foundok :=AnsiStrIComp(PChar(ExtractFilename(ippe.szExeFile )),PChar (ExtractFileName (afilename )))=0 ;
if foundok then
begin
Result :=ippe.th32ProcessID;
Break ;
end;
foundaproc :=Process32Next(sshandle ,ippe);
end;
CloseHandle(sshandle );
end;
/////////////////////////////////////////////////////////////////////////////////
//提权,也是正确的。
function enabledebugprivilege(const benable:boolean):Boolean ;
var
htoken :THandle;
tp:TOKEN_PRIVILEGES ;
a:DWORD ;
const
se_debug_name='sedebugprivilege';
begin
Result :=False;
if (OpenProcessToken(GetCurrentProcess ,TOKEN_ADJUST_PRIVILEGES ,htoken )) then
begin
tp.PrivilegeCount :=1;
LookupPrivilegeValue(nil,se_debug_name ,tp.Privileges[0].luid);
if benable then
tp.Privileges[0].Attributes :=SE_PRIVILEGE_ENABLED
else
tp.Privileges[0].Attributes :=0;
a:=0;
AdjustTokenPrivileges(htoken,False,tp,SizeOf(tp),nil,a) ;
result:=GetLastError =ERROR_SUCCESS ;
CloseHandle(htoken) ;
end;
end;
//主要实现代码,错误出现在这里
function attachtoprocess(const hostfile,guestfile:string ;const pid :DWORD =0):DWORD;
var
hremoteprocess,hKernelBase:hmodule;
dwremoteprocessid:DWORD;
cb:DWORD;
pszlibfileremote:Pointer;
ireturncode:Boolean;
tempvar:DWORD ;
s:string;
pfnstartaddr:TFNThreadStartRoutine ;
pszlibafilename:PWideChar ;
pKernelBaseGetGlobalData:TLPFN_KernelBaseGetGlobalData;
pGlobalData,pmisc:PInteger ;
begin
pKernelBaseGetGlobalData:=nil;
pGlobalData :=nil;
Result:=0;
enabledebugprivilege(true);
GetMem(pszlibafilename ,length(guestfile)*2+1);
StringToWideChar(guestfile ,pszlibafilename,length(guestfile)*2+1 );
if pid >0 then
dwremoteprocessid :=pid
else
dwremoteprocessid := findprocess(hostfile,False );
hremoteprocess :=OpenProcess(PROCESS_CREATE_THREAD + PROCESS_VM_OPERATION + PROCESS_VM_WRITE,False ,dwremoteprocessid );
cb:=(1+lstrlenw(pszlibafilename ))*sizeof(wchar) ;
pszlibfileremote :=pwidestring(VirtualAllocEx(hremoteprocess ,nil,cb,MEM_COMMIT ,PAGE_READWRITE )) ;
tempvar:=0;
ireturncode :=WriteProcessMemory (hremoteprocess ,pszlibfileremote ,pszlibafilename ,cb, nativeuint(tempvar ));
if ireturncode then
begin
hKernelBase := LoadLibraryw('KernelBase');
pKernelBaseGetGlobalData:= TLPFN_KernelBaseGetGlobalData(GetProcAddress(hKernelBase,'KernelBaseGetGlobalData'));
pmisc:=@pKernelBaseGetGlobalData;
tempvar :=0;
pmisc:=Pointer ($5c+integer(pmisc));
//下面的这步出错;说access violation at address 00511c1f in module'XX.exe'. write of address 747f6c7d,pmisc的地址是747f6c7d.
pmisc^:=1;
pfnstartaddr:=getprocaddress(getmodulehandle('kernel32'),loadlibrary);
Result :=CreateRemoteThread(hremoteprocess ,nil,0,pMisc,pszlibfileremote ,0,tempvar );
s:=IntToStr (GetLastError );
ShowMessage(s);
end;
FreeMem(pszlibafilename ) ;
end;procedure TForm1.Button1Click(Sender: TObject);
begin
attachtoprocess('explorer.exe',ExtractFilePath(ParamStr(0))+'destdll.dll');
怎么解决???
希望大家说说看法
看雪论坛原帖http://bbs.pediy.com/showthread.php?t=154102
解决方案 »
- 这个论坛没有爱么、装个delphi都没有帮忙。
- 关于数据库安全的提问
- scktsrvr.exe 占用CPU资源100%,请高手和遇到此类问题的人进来讨论讨论
- FastReport3.0如何用代码直接打印,不要出现预览窗口等
- fastreport里如何用代码来实现改变默认的打印机?
- 救救我这个菜鸟吧!
- 任务栏右键单击关闭的事件在哪写,我想在里面做些操作就是在执行FORMCLOSE事件之前
- 我想用delphi开发一个数据库系统,要求数据库十分稳定,又没有版权的纠纷,请问应选择哪种数据库!
- 如何播放做到EXE文件中的WAV资源??来者有分
- 求助delphi中dglopengl的使用问题
- delphi中image组件上画线如何清除
- DELPHI的 CHECKBOX的多选查询—————求指教—————标题要长才行啊
改成
cb := 1;
WriteProcessMemory(GetCurrentProcess(), pmisc , @cb , 4 , tempvar);这代码作用很小
看雪论坛原帖http://bbs.pediy.com/showthread.php?t=154102
你能看看为什么我们delphi的就是错误呢,有相应的思路么?