您现在的位置:首页 >> 硬件系统 >> 硬件系统 >> 内容

Delphi进程注入的部分代码

时间:2011/9/3 15:20:32 点击:

  核心提示://-------------------------注入代码的函数----------------------------{参数说明:InHWND:被注入的窗口句柄Func:注入的函数的指针Para...
//-------------------------注入代码的函数----------------------------
{参数说明:
InHWND:被注入的窗口句柄
Func:注入的函数的指针
Param:参数的指针
ParamSize:参数的大小
}
procedure InjectFunc(InHWND: HWND; Func: Pointer; Param: Pointer; ParamSize: DWORD);
var
    hProcess_N: THandle;
    ThreadAdd, ParamAdd: Pointer;
    hThread: THandle;
    ThreadID: DWORD;
    lpNumberOfBytes:DWORD;
begin
    GetWindowThreadProcessId(InHWND, @ThreadID);    //获得窗口ID
    hProcess_N := OpenProcess(PROCESS_ALL_ACCESS, False, ThreadID);//打开被注入的进程
    ThreadAdd := VirtualAllocEx(hProcess_N, nil, 4096, MEM_COMMIT, PAGE_READWRITE);    //申请写入代码空间
    WriteProcessMemory(hProcess_N, ThreadAdd, Func, 4096, lpNumberOfBytes); //写入函数地址
    ParamAdd := VirtualAllocEx(hProcess_N, nil, ParamSize, MEM_COMMIT, PAGE_READWRITE);    //申请写入代码参数空间
    WriteProcessMemory(hProcess_N, ParamAdd, Param, ParamSize, lpNumberOfBytes); //写入参数地址
    hThread := CreateRemoteThread(hProcess_N, nil, 0, ThreadAdd, ParamAdd, 0, lpNumberOfBytes); //创建远程线程
    ResumeThread(hThread); //直接运行线程
    CloseHandle(hThread); //关闭线程

    VirtualFreeEx(hProcess_N, ThreadAdd, 4096, MEM_RELEASE);
    VirtualFreeEx(hProcess_N, ParamAdd, ParamSize, MEM_RELEASE); //释放申请的地址

    CloseHandle(hProcess_N); //关闭打开的句柄
end;

//-----------------------------定义一个参数类型-----------------------
type
    TPickCallParam = packed record
      ax, ay: single;
    end;
    PPickCallParam = ^TPickCallParam;    //指向结构的指针(C中叫这种方式的数据应该叫结构体吧)

procedure runCall(p:PPickCallParam);stdcall;    // 走路call
var
addres,addres1,addres2:pointer;
x,y:single;
begin
      addres:=pointer($0045ec00);
      addres1:=pointer($00462620);
      addres2:=pointer($0045f000);
      x:=p^.ax;              //目的地X坐标
      y:=p^.ay;            //目的地Y坐标
      asm
      pushad
        mov      eax, dword ptr [$8f207c]
        mov      eax, dword ptr [eax+$1C]
        mov      esi, dword ptr [eax+$20]
        mov      ecx, dword ptr [esi+$ba0]
        push      1
        call      addres
        mov      edi, eax
        lea      eax, dword ptr [esp+$18]
        push      eax
        push      0
        mov      ecx, edi
        call      addres1
        push      0
        push      1
        push      edi
        mov      ecx, dword ptr [esi+$ba0]
        push      1
        call      addres2
        mov      eax, dword ptr [$8f207c]
        mov      eax, dword ptr [eax+$1C]
        mov      eax, dword ptr [eax+$20]
        mov      eax, dword ptr [eax+$ba0]
        mov      eax, dword ptr [eax+$30]
        mov      ecx, dword ptr [eax+4]
        mov      eax, x
        mov      [ecx+$20], eax
        mov      eax, y
        mov      [ecx+$28], eax
      popad
      end;

END;

procedure TForm1.Button1Click(Sender: TObject);//在控件中做个按钮 测试

var

      CallParam:TPickCallParam;
begin;
    getmem(pname,33);
    myhwnd := FindWindow(nil,'Element Client');{查找窗口句柄}
    GetWindowThreadProcessId(myhwnd, aproc); {得到窗口ID}
    phnd := OpenProcess(PROCESS_VM_READ , False, aproc);{以完全访问权限打开进程句柄}
    if (phnd<>0 ) then
    begin
      CallParam.ax:= 1860.0;    //给注入代码函数赋值
      CallParam.ay:=120.0;      //给注入代码函数赋值

      InjectFunc(myhWnd,@runCall,@CallParam,SizeOf(CallParam)); //运行注入代码函数
      sleep(100);

      CloseHandle(PHND) //关闭进程
    end;
end;

作者:站长 来源:转载
共有评论 0相关评论
发表我的评论
  • 大名:
  • 内容:
  • 盒子文章(www.2ccc.com) © 2022 版权所有 All Rights Reserved.
  • 沪ICP备05001939号