您现在的位置:首页 >> 硬件系统 >> 硬件系统 >> 内容

用Delphi内嵌汇编实现缷载任意进程的某个DLL

时间:2011/9/3 15:19:31 点击:

  核心提示:部分代码欣赏:function TForm1.DumpPE(FileName:String):Bool;var ProcessHandle: THandle; SrcBuf,DscBuf: pchar...

部分代码欣赏:

function TForm1.DumpPE(FileName:String):Bool;
var
  ProcessHandle: THandle;
  SrcBuf,DscBuf: pchar;
  nSize,lpNumberOfBytes: DWORD;
  imgBase,imgSize:dword;
  pid,RawFileSize: integer;
  addr,AddrOfSecTable:dword;
  NumberOfSections{,SectionAlignment},FileAlignment: Dword;
  hfile:Dword;
begin
  pid:=tv.Items.Item[rec].ImageIndex;
  ProcessHandle:=openprocess(process_all_access,false,pid);
  GetProcessBaseSize(pid,@imgBase,@imgSize);
  addr:=integer(imgBase);
  //先读1K字节过来分析其影像大小
  SrcBuf:=AllocMem($400);
  ReadProcessMemory(ProcessHandle, Pointer(addr), SrcBuf, $400, lpNumberOfBytes);
  asm
    mov eax,SrcBuf
    xor ecx,ecx
    mov cx,word ptr [eax+$3C]
    add eax,ecx
    mov eax,[eax+$50]  //SizeOfImage
    mov nSize,eax
  end;
  FreeMem(SrcBuf,$400);
  SrcBuf:=AllocMem(nSize);
  ReadProcessMemory(ProcessHandle, Pointer(addr), SrcBuf, nSize, lpNumberOfBytes);  //可能要设置一下内存属性
  asm
    pushad
    mov eax,SrcBuf
    xor ecx,ecx
    mov cx,word ptr [eax+$3c]
    add eax,ecx  //e_ifanew
    //mov ecx,[eax+$38]
    //mov SectionAlignment,ecx
    mov ecx,[eax+$3c]
    mov FileAlignment,ecx
    xor ecx,ecx
    mov cx,word ptr [eax+6]
    mov NumberOfSections,ecx
    xor ecx,ecx
    mov cx,word ptr [eax+$14]  //SizeOfOptionalHeader
    add eax,ecx
    add eax,$18
    mov AddrOfSectable,eax
    mov ecx,NumberOfSections
   @NumberOfSectionsDec:
    dec ecx
    jz @NumberOfSectionsZero
    add eax,$28
    jmp @NumberOfSectionsDec
   @NumberOfSectionsZero:  //eax=Last Section Table
    mov ecx,[eax+$10]
    add ecx,[eax+$14]
    mov RawFileSize,ecx
    popad
  end;
  DscBuf:=AllocMem(RawFileSize);
  asm
    pushad
    mov edi,DscBuf
    mov esi,SrcBuf
    mov ecx,FileAlignment
    shl ecx,1
    rep movsb  //PE头
    mov eax,AddrOfSecTable
   @SectionCopy:
    mov edi,[eax+$14]  //Raw Offset
    mov ecx,[eax+$10]  //Raw Size
    add edi,DscBuf
    mov esi,[eax+$c]   //Virtual Offset
    add esi,SrcBuf
    rep movsb  //Section
    add eax,$28
    dec NumberOfSections
    jnz @SectionCopy
    popad
  end;
  hfile:=CreateFile(PChar(FileName),
                    GENERIC_WRITE,
                    FILE_SHARE_WRITE,
                    nil,
                    CREATE_NEW,
                    FILE_ATTRIBUTE_NORMAL,
                    0);
  if (hFile=$FFFFFFFF)and(MessageBox(Handle,'文件已存在,是否覆盖?','注意',MB_YESNO)=ID_YES) then
  begin
    hfile:=CreateFile(PChar(FileName),
                      GENERIC_WRITE,
                      FILE_SHARE_WRITE,
                      nil,
                      CREATE_ALWAYS,
                      FILE_ATTRIBUTE_NORMAL,
                      0);
  end;
  if (hFile<>$FFFFFFFF) then if WriteFile(hFile,DscBuf^,RawFileSize,lpNumberOfBytes,0) then
    MessageBox(Handle,'完成转存。','信息',0) else
    MessageBox(Handle,'写文件出错。','错误',0);
  CloseHandle(hFile);
  FreeMem(DscBuf,RawFileSize);
  FreeMem(SrcBuf, nSize);
  CloseHandle(ProcessHandle);
end;

全部代码打包下载



迅雷专用高速下载

作者:廖子明 来源:转载
共有评论 0相关评论
发表我的评论
  • 大名:
  • 内容:
  • 盒子文章(www.2ccc.com) © 2024 版权所有 All Rights Reserved.
  • 沪ICP备05001939号