HanDs
管理员

[Delphi文章] DLL外挂型内存补丁的实现 





学习中请遵循国家相关法律法规,黑客不作恶。没有网络安全就没有国家安全

本站需要登陆后才能查看

DLL外挂型内存补丁的实现:

思路:自己写个DLL文件PYG.DLL 输出函数K ,找个程序需要调用DLL文件(我用的LPK.DLL,基本上可执行程序都要用到).用PE工具填加
         输入表PYG.DLL  函数K,然后把PYG.DLL和LPK.DLL   COPY到要破解的程序目录.这样程序调用LPK.DLL 就会加载PYG.DLL来执行
         修改内存的目的.

例子:  例子.rar (25.74 KB)
下载次数: 75

2007-8-21 15:41


DLL部分:
复制内容到剪贴板代码:
library pyg;

{ Important note about DLL memory management: ShareMem must be the
  first unit in your library's USES clause AND your project's (select
  Project-View Source) USES clause if your DLL exports any procedures or
  functions that pass strings as parameters or function results. This
  applies to all strings passed to and from your DLL--even those that
  are nested in records and classes. ShareMem is the interface unit to
  the BORLNDMM.DLL shared memory manager, which must be deployed along
  with your DLL. To avoid using BORLNDMM.DLL, pass string information
  using PChar or ShortString parameters. }

uses
  windows,
  TlHelp32,
  Unit1 in 'Unit1.pas';

var
Pn: TProcesseNtry32;

{$R *.res}
procedure k;stdcall;
begin
end;



procedure MyDLLProc;stdcall;
var
hHandle:HWND;
begin
hHandle:=pn.th32ParentProcessID;
//HookOn(hHandle,0);
HookOn(hHandle,WH_shell); //安装钩子
end;
exports
  k;

begin
DLLProc:[email protected];
MyDLLProc;
end.
修改内存模块:
复制内容到剪贴板代码:
unit Unit1;

interface
uses
windows;



var
hHk: HHOOK=0;
mhwnd:HWND=0;
hThread: Cardinal;
hmod: Pointer; //Hinstance


procedure HookProc;stdcall;
function HookOn(lpHwnd:HWND;lpType:Longint): Longint;stdcall;
function HookOff:Boolean;stdcall;

implementation

function HookOn(lpHwnd:HWND;lpType:Longint): Longint;stdcall; export;
begin
mhwnd:=lpHwnd;
if hHk<>0 then UnHookWindowsHookEx(hHk);
hThread :=GetWindowThreadProcessId(mhwnd,hmod);
hHk :=SetWindowsHookEx(lpType,@HookProc,hInstance,hThread); // WH_KEYBOARD
Result :=hHk;
end;

procedure ModMemData();
var
  pData: pointer;
  dwOldProtect:DWORD;
  mbi_thunk: TMemoryBasicInformation;

begin

  pData := pointer($004024e0);
  //查询页信息。
  VirtualQuery(pData, mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION));
  //改变页保护属性为读写。
  VirtualProtect(mbi_thunk.BaseAddress, mbi_thunk.RegionSize,PAGE_READWRITE, mbi_thunk.Protect);

end;


procedure HookProc;stdcall;
var
  ljj:pchar;
  ljj2:string;
  DLLHandle: THandle;
begin

try
begin
    asm
    pushad
    pushfd
    mov eax,$004024e0
    mov edx,$358b6674
    cmp [eax],edx
    jne @@11
    push eax
    call ModMemData;
    pop eax
    mov edx,$358b9090
    mov [eax],edx
    @@11:
    popfd
    popad
    end;
end;
except
begin
     asm
     popfd
     popad
     end;
end;
end;
HookOff;     //卸载钩子
end;


function HookOff:Boolean;stdcall;
begin
if hHk<>0 then
begin
UnHookWindowsHookEx(hHk);
hHk :=0;
Result :=true;
end
else
Result :=false;
end;


end.


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
DLL 外挂型内存补丁的实现
#1楼
发帖时间:2016-7-9   |   查看数:0   |   回复数:0
游客组
快速回复