通过开启远程线程 注射DLL至目标进程

阿杰

1. unit Inject;
   
2. 
   
3. interface
   
4. uses Windows, SysUtils, Messages, Classes;
   
5. 
   
6. //再目标进程中申请空间，写入注射代码后 ，开启远程线程以执行
   
7. 
   
8. function InjectDll(pid: thandle; dllname: string; timeout: cardinal = 7000):
   
9. boolean;
   
10. 
    
11. //参数 pid 进程ID ，dllname 欲注射dll的名字
    
12. //调用样例 InjectDll(pid,'.\inject.dll');
    
13. //原理 使得目标进程通过API函数LoadLibraryA主动加载欲注射的DLL。
    
14. 
    
15. var
    
16. RemoteCode: array[0..18] of char = (#$60, #$9C, #$B8, #$88, #$77, #$66, #$55,
    
17. #$BA, #$44, #$33, #$22, #$11, #$52, #$FF, #$D0, #$9D, #$61, #$C3, #$00);
    
18. {
    
19. 注射的代码
    
20. 60 pushad
    
21. 9C pushfd
    
22. B8 88776655 mov eax, 55667788
    
23. BA 44332211 mov edx, 11223344
    
24. 52 push edx
    
25. FFD0 call eax
    
26. 9D popfd
    
27. 61 popad
    
28. C3 retn
    
29. }
    
30. 
    
31. implementation
    
32. 
    
33. function InjectDll(pid: thandle; dllname: string; timeout: cardinal = 7000):
    
34. boolean;
    
35. var
    
36. Rpid: thandle;
    
37. RemotePoint, RemoteFilename: pointer;
    
38. LoadLibptr: pointer;
    
39. rcode: longbool;
    
40. temp: cardinal;
    
41. threadid: cardinal;
    
42. begin
    
43. result := false;
    
44. Rpid := OpenProcess(PROCESS_ALL_ACCESS, false, pid); //打开目标进程
    
45. if Rpid = 0 then
    
46. exit; //打开失败则退出
    
47. RemoteFilename := VirtualAllocEx(Rpid, nil, length(dllname) + 1, MEM_COMMIT,
    
48. PAGE_READWRITE);
    
49. //在目标进程中申请空间 大小为欲注射dll名字长度+1 权限为可读写
    
50. if RemoteFilename = nil then
    
51. begin
    
52. CloseHandle(Rpid);
    
53. exit; //申请空间失败则退出
    
54. end;
    
55. rcode := WriteProcessMemory(Rpid, RemoteFileName, @dllname[1],
    
56. length(dllname), temp);
    
57. //将欲注射dll名字写入刚刚已经申请的空间中
    
58. if not rcode then
    
59. begin
    
60. CloseHandle(rpid);
    
61. exit; //写入失败则退出
    
62. end;
    
63. LoadLibptr := GetProcAddress(GetModuleHandle('Kernel32.dll'), 'LoadLibraryA');
    
64. //获取LoadLibraryA函数的地址指针
    
65. if LoadLibptr = nil then
    
66. begin
    
67. CloseHandle(rpid);
    
68. exit; //获取失败则退出
    
69. end;
    
70. RemotePoint := VirtualAllocEx(Rpid, nil, sizeof(RemoteCode) + 1, MEM_COMMIT,
    
71. PAGE_EXECUTE_READWRITE);
    
72. //在目标进程中申请空间 大小为注射代码的字节数+1 权限为可执行可读写
    
73. if RemotePoint = nil then
    
74. begin
    
75. CloseHandle(rpid);
    
76. exit; //申请失败则退出
    
77. end;
    
78. 
    
79. {
    
80. 注射的代码
    
81. 60 pushad
    
82. 9C pushfd
    
83. B8 88776655 mov eax, 55667788
    
84. BA 44332211 mov edx, 11223344
    
85. 52 push edx
    
86. FFD0 call eax
    
87. 9D popfd
    
88. 61 popad
    
89. C3 retn
    
90. }
    
91. 
    
92. CopyMemory(@RemoteCode[3], @LoadLibptr, 4);
    
93. //将LoadLibraryA的地址指针(4字节)写入 将如上88776655覆盖
    
94. CopyMemory(@RemoteCode[8], @RemoteFilename, 4);
    
95. //将dll名字的首地址指针(4字节)写入 将如上44332211覆盖
    
96. rcode := WriteProcessMemory(Rpid, RemotePoint, @RemoteCode[0],
    
97. sizeof(Remotecode), temp); //将注射代码写入申请的空间中
    
98. if rcode then
    
99. begin
    
100. result := CreateRemoteThread(rpid, nil, 0, RemotePoint, nil, 0, threadid) <>
     
101. 0; //写入成功则开启一个远程线程执行
     
102. CloseHandle(rpid);
     
103. end;
     
104. end;
     
105. end.

复制代码