在Delphi中利用CreateRemoteThread遠(yuǎn)程注入例子

2019-11-18 18:01:50

字體：大中小

供稿：網(wǎng)友

花了一個(gè)下午翻了MSDN,寫了這個(gè)例子,為了安全,我用Delphi建了個(gè)什么也沒有作的程序PRjzzhost.exe,將它用作被注入的宿主進(jìn)程.
寫了一個(gè)TestDll.Dll,里面只有一個(gè)Log函數(shù),用來在文件Test.Txt中輸出信息.最重要的一個(gè)程序project1.exe是用來注入的.
測試環(huán)境: windows server 2003 + delphi 7.0
程序很簡單,高手就不用看了.廢話不說了,看代碼吧!

測試用的TestDll.Dll源代碼(它將被注入到prjzzhost.exe中去):

程序代碼

library TestDll;

uses
  SysUtils,
  System,
  windows,
  Classes;

  procedure Log( s : PChar);stdcall;
  var
    F : TextFile;
  begin
    assignfile(f,'Test.txt');
    if fileexists('Test.txt') then append(f)
    else rewrite(f);
    writeln(f,s);
    closefile(f);
  end;

  procedure DllEntryPoint(dwReason:DWord);
  begin
      case dwReason of
      DLL_PROCESS_ATTACH:
        Log('dll process Attach');
      DLL_PROCESS_DETACH:
      Log('dll process Detach');
      DLL_THREAD_ATTACH:
        Log('dll thread Attach');
      DLL_THREAD_DETACH:
        Log('dll thread Detach');
      end;

  end;

  exports
    Log;

begin
  DllProc := @DllEntryPoint;
  DllEntryPoint(DLL_PROCESS_ATTACH);
end.

被注入的宿主進(jìn)程prjzzhost.exe(它什么也沒有作,好無辜哦:),這里就不給出代碼了,因?yàn)樘唵瘟?哈哈.

最后,最重要的來了:
project1.exe的源代碼:

程序代碼

unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls,tlhelp32;

type

  TLog = procedure(s : PChar);stdcall;
  TServiceMain = procedure(argc : Integer; VAR argv : pchar);stdcall;

  EDLLLoadError = class(Exception);

  TForm1 = class(TForm)
    Button3: TButton;
    procedure Button3Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

var
  Form1: TForm1;

implementation

{$R *.dfm}

{ 列舉進(jìn)程 }
procedure GetMyProcessID(const AFilename: string; const PathMatch: Boolean; var ProcessID: DWORD);
var
  lppe: TProcessEntry32;
  SsHandle: Thandle;
  FoundAProc, FoundOK: boolean;
begin
  ProcessID :=0;
  { 創(chuàng)建系統(tǒng)快照 }
  SsHandle := CreateToolHelp32SnapShot(TH32CS_SnapProcess, 0);

  { 取得快照中的第一個(gè)進(jìn)程 }
  { 一定要設(shè)置結(jié)構(gòu)的大小,否則將返回False }
  lppe.dwSize := sizeof(TProcessEntry32);
  FoundAProc := Process32First(Sshandle, lppe);
  while FoundAProc do
  begin
    { 進(jìn)行匹配 }
    if PathMatch then
      FoundOK := AnsiStricomp(lppe.szExefile, PChar(AFilename)) = 0
    else
      FoundOK := AnsiStricomp(PChar(ExtractFilename(lppe.szExefile)), PChar(ExtractFilename(AFilename))) = 0;
    if FoundOK then
    begin
      ProcessID := lppe.th32ProcessID;
      break;
    end;
    { 未找到,繼續(xù)下一個(gè)進(jìn)程 }
    FoundAProc := Process32Next(SsHandle, lppe);
  end;
  CloseHandle(SsHandle);
end;

{ 設(shè)置權(quán)限 }
function EnabledDebugPrivilege(const Enabled : Boolean) : Boolean;
var
  hTk : THandle; { 打開令牌句柄 }
  rtnTemp : Dword; { 調(diào)整權(quán)限時(shí)返回的值 }
  TokenPri : TOKEN_PRIVILEGES;
const
  SE_DEBUG = 'SeDebugPrivilege'; { 查詢值 }
begin
  Result := False;
  { 獲取進(jìn)程令牌句柄,設(shè)置權(quán)限 }
  if (OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,hTk)) then
  begin
    TokenPri.PrivilegeCount := 1;
    { 獲取Luid值 }
    LookupPrivilegeValue(nil,SE_DEBUG,TokenPri.Privileges[0].Luid);

    if Enabled then
      TokenPri.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
    else
      TokenPri.Privileges[0].Attributes := 0;

    rtnTemp := 0;
    { 設(shè)置新的權(quán)限 }
    AdjustTokenPrivileges(hTk,False,TokenPri,sizeof(TokenPri),nil,rtnTemp);

    Result := GetLastError = ERROR_SUCCESS;
    CloseHandle(hTk);

  end;
end;

{ 調(diào)試函數(shù) }
procedure OutPutText(var CH:PChar);
var
  FileHandle: TextFile;
Begin
  AssignFile(FileHandle,'zztest.txt');
  Append(FileHandle);
  Writeln(FileHandle,CH);
  Flush(FileHandle);
  CloseFile(FileHandle);
END;

{ 注入遠(yuǎn)程進(jìn)程 }
function InjectTo(const Host, Guest: string; const PID: DWORD = 0): DWORD;
var
  { 被注入的進(jìn)程句柄,進(jìn)程ID}
  hRemoteProcess: THandle;
  dwRemoteProcessId: DWORD;

  { 寫入遠(yuǎn)程進(jìn)程的內(nèi)容大小 }
  memSize: DWORD;

  { 寫入到遠(yuǎn)程進(jìn)程后的地址 }
  pszLibFileRemote: Pointer;

  iReturnCode: Boolean;
  TempVar: DWORD;

  { 指向函數(shù)LoadLibraryW的地址 }
  pfnStartAddr: TFNThreadStartRoutine;

  { dll全路徑,需要寫到遠(yuǎn)程進(jìn)程的內(nèi)存中去 }
  pszLibAFilename: PwideChar;
begin
  Result := 0;
  { 設(shè)置權(quán)限 }
  EnabledDebugPrivilege(True);

  { 為注入的dll文件路徑分配內(nèi)存大小,由于為WideChar,故要乘2 }
  Getmem(pszLibAFilename, Length(Guest) * 2 + 1);
  StringToWideChar(Guest, pszLibAFilename, Length(Guest) * 2 + 1);

  { 獲取進(jìn)程ID }
  if PID > 0 then
     dwRemoteProcessID := PID
  else
     GetMyProcessID(Host, False, dwRemoteProcessID);

  { 取得遠(yuǎn)程進(jìn)程句柄,具有寫入權(quán)限}
  hRemoteProcess := OpenProcess(PROCESS_CREATE_THREAD + {允許遠(yuǎn)程創(chuàng)建線程}
      PROCESS_VM_OperaTION + {允許遠(yuǎn)程VM操作}
      PROCESS_VM_WRITE, {允許遠(yuǎn)程VM寫}
      FALSE, dwRemoteProcessId);

  { 用函數(shù)VirtualAllocex在遠(yuǎn)程進(jìn)程分配空間,并用WriteProcessMemory中寫入dll路徑 }
  memSize := (1 + lstrlenW(pszLibAFilename)) * sizeof(WCHAR);
  pszLibFileRemote := PWIDESTRING(VirtualAllocEx(hRemoteProcess, nil, memSize, MEM_COMMIT, PAGE_READWRITE));
  TempVar := 0;
  iReturnCode := WriteProcessMemory(hRemoteProcess, pszLibFileRemote, pszLibAFilename, memSize, TempVar);

  if iReturnCode then
  begin
    pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'), 'LoadLibraryW');
    TempVar := 0;
    { 在遠(yuǎn)程進(jìn)程中啟動(dòng)dll }
    Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr, pszLibFileRemote, 0, TempVar);
  end;

  { 釋放內(nèi)存空間 }
  Freemem(pszLibAFilename);
end;

  { 測試 }
procedure TForm1.Button3Click(Sender: TObject);
begin

  InjectTo('prjzzhost.exe', extractfilepath(paramstr(0))+'TestDll.dll');
end;

end.

代碼中并沒有考慮dll被載入后的善后處理,請不要使用系統(tǒng)進(jìn)程進(jìn)行測試,以免發(fā)生意外.

上一篇：Delphi操作Wrod的幾個(gè)知識點(diǎn)

下一篇：在Delphi中使用CreateOleObject方法對WORD文件進(jìn)行操作