delphi完美的线程注入和卸载

2017-11-04 13:27:08来源:oschina作者:伽罗kapple人点击

分享

unit Unit1;


interface


uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls;


type TForm1 = class(TForm)Button1: TButton;Button2: TButton;procedure Button1Click(Sender: TObject);procedure Button2Click(Sender: TObject);function GetExplorId:Cardinal; private{ Private declarations } public{ Public declarations } end;


var Form1: TForm1;


implementation


{$R *.dfm}


var AsmBuf:Array [0..20] of Byte = ($B8,$00,$00,$00,$00,$68,$00,$00,$00,$00,$FF,$D0,$B8,$00,$00,$00,00,$6A,$00,$FF,$D0);


function EnabledDebugPrivilege(const bEnabled: Boolean):Boolean; var hToken: THandle; tp: TOKEN_PRIVILEGES; a: DWORD; const SE_DEBUG_NAME = 'SeDebugPrivilege'; begin Result:=False; if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken)) then begintp.PrivilegeCount :=1;LookupPrivilegeValue(nil,SE_DEBUG_NAME ,tp.Privileges[0].Luid);if bEnabled thentp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLEDelsetp.Privileges[0].Attributes := 0;a:=0;AdjustTokenPrivileges(hToken,False,tp,SizeOf(tp),nil,a);Result:= GetLastError = ERROR_SUCCESS;CloseHandle(hToken); end; end;


function InjectDll(pid:cardinal;Dll:string):Cardinal; var hProc:Cardinal; wDllPath:PwideChar; pRemote:Pointer; cbSize:cardinal; TempVar:Cardinal; begin result:=0; if pid=0 then exit; EnabledDebugPrivilege(true); cbSize:= length(Dll)*2+21; GetMem(wDllPath,cbSize); StringToWideChar(Dll,wDllPath,cbSize); hProc:=OpenProcess(PROCESS_ALL_ACCESS,false,pid); trypRemote:=VirtualAllocEx( hProc, nil, cbSize, MEM_COMMIT, PAGE_READWRITE);if WriteProcessMemory(hProc,pRemote, wDllPath, cbSize, TempVar) thenbeginTempVar:=0;Result := CreateRemoteThread(hProc, nil, 0,GetProcAddress(GetModuleHandle('Kernel32'),'LoadLibraryW'), pRemote, 0, TempVar);end; finallyCloseHandle(hProc);FreeMem(wDllPath); end; end;


function EjectDll(pid:cardinal;Dll:string):Cardinal; typePDebugModule = ^TDebugModule;TDebugModule = packed recordReserved: array [0..1] of Cardinal;Base: Cardinal;Size: Cardinal;Flags: Cardinal;Index: Word;Unknown: Word;LoadCount: Word;ModuleNameOffset: Word;ImageName: array [0..$FF] of Char;end; typePDebugModuleInformation = ^TDebugModuleInformation;TDebugModuleInformation = recordCount: Cardinal;Modules: array [0..0] of TDebugModule; end; typePDebugBuffer = ^TDebugBuffer;TDebugBuffer = recordSectionHandle: THandle;SectionBase: Pointer;RemoteSectionBase: Pointer;SectionBaseDelta: Cardinal;EventPairHandle: THandle;Unknown: array [0..1] of Cardinal;RemoteThreadHandle: THandle;InfoClassMask: Cardinal;SizeOfInfo: Cardinal;AllocatedSize: Cardinal;SectionSize: Cardinal;ModuleInformation: PDebugModuleInformation;BackTraceInformation: Pointer;HeapInformation: Pointer;LockInformation: Pointer;Reserved: array [0..7] of Pointer;end; const PDI_MODULES = $01; ntdll = 'ntdll.dll'; var HNtDll: HMODULE; type TFNRtlCreateQueryDebugBuffer = function(Size: Cardinal;EventPair: Boolean): PDebugBuffer;stdcall; TFNRtlQueryProcessDebugInformation = function(ProcessId,DebugInfoClassMask: Cardinal; var DebugBuffer: TDebugBuffer): Integer;stdcall; TFNRtlDestroyQueryDebugBuffer = function(DebugBuffer: PDebugBuffer): Integer;stdcall; var RtlCreateQueryDebugBuffer: TFNRtlCreateQueryDebugBuffer; RtlQueryProcessDebugInformation: TFNRtlQueryProcessDebugInformation; RtlDestroyQueryDebugBuffer: TFNRtlDestroyQueryDebugBuffer;


function LoadRtlQueryDebug: LongBool; beginHNtDll := LoadLibrary(ntdll);if HNtDll <> 0 thenbeginRtlCreateQueryDebugBuffer := GetProcAddress(HNtDll, 'RtlCreateQueryDebugBuffer');RtlQueryProcessDebugInformation := GetProcAddress(HNtDll, 'RtlQueryProcessDebugInformation');RtlDestroyQueryDebugBuffer := GetProcAddress(HNtDll, 'RtlDestroyQueryDebugBuffer');end;Result := Assigned(RtlCreateQueryDebugBuffer) andAssigned(RtlQueryProcessDebugInformation) andAssigned(RtlQueryProcessDebugInformation); end;


function ReleaseRtlQueryDebug: LongBool; beginresult:=FreeLibrary(HNtDll); end;


var hProc:Cardinal; hMod:cardinal; TempVar:Cardinal; DbgBuffer: PDebugBuffer; i,j:integer; pd:PDWORD; pRemoteFunc:pointer; begin result:=0; if pid=0 then exit; EnabledDebugPrivilege(true); LoadRtlQueryDebug; DbgBuffer := RtlCreateQueryDebugBuffer(0, False); if Assigned(DbgBuffer) thentryif RtlQueryProcessDebugInformation(pid, PDI_MODULES, DbgBuffer^) >= 0 thenfor i:=0 to DbgBuffer.ModuleInformation.Count-1 doif UpperCase(DbgBuffer.ModuleInformation.Modules[i].ImageName)=UpperCase(Dll) thenbeginhMod:=DbgBuffer.ModuleInformation.Modules[i].Base;j:=DbgBuffer.ModuleInformation.Modules[i].LoadCount;Break;end;finallyRtlDestroyQueryDebugBuffer(DbgBuffer);ReleaseRtlQueryDebug;end; hProc:=OpenProcess(PROCESS_ALL_ACCESS,false,pid); tryTempVar:=DWORD(GetProcAddress(GetModuleHandle('Kernel32'),'FreeLibrary'));pd:=@AsmBuf[1];pd^:=TempVar;pd:=@AsmBuf[6];pd^:=hMod;TempVar:=DWORD(GetProcAddress(GetModuleHandle('Kernel32'),'ExitThread'));pd:=@AsmBuf[13];pd^:=TempVar;pRemoteFunc:=VirtualAllocEx( hProc, nil, 21, MEM_COMMIT, PAGE_EXECUTE_READWRITE);if WriteProcessMemory(hProc, pRemoteFunc, @AsmBuf[0], 21, TempVar) thenfor i:=0 to j-1 dobeginTempVar:=0;Result := CreateRemoteThread(hProc, nil, 0, pRemoteFunc, nil, 0, TempVar);end; finallyCloseHandle(hProc); end; end;function TForm1.GetExplorId:Cardinal; begin GetWindowThreadProcessId(GetWindow(Handle,GW_HWNDLAST),@result); end;


procedure TForm1.Button1Click(Sender: TObject); begin InjectDll(GetExplorId,'c:/ExHook.Dll'); end;


procedure TForm1.Button2Click(Sender: TObject); begin EjectDll(GetExplorId,'c:/ExHook.Dll'); end;


end.

转载自:http://www.delphitop.com/html/Dll/1946.html

最新文章

123

最新摄影

微信扫一扫

第七城市微信公众平台