1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24: 25: 26: 27: 28: 29: 30: 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: 51: 52: 53: 54: 55: 56: 57: 58: 59: 60: 61: 62: 63: 64: 65: 66: 67: 68: 69: 70: 71: 72: 73: 74: 75: 76: 77: 78: 79: 80: 81: 82: 83: 84: 85: 86: 87: 88: 89: 90: 91: 92: 93: 94: 95: 96: 97: 98: 99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 146: 147: 148: 149: 150: 151: 152: 153: 154: 155: 156: 157: 158: 159: 160: 161: 162: 163: 164: 165:
| function FindProcess(ExeNames: pchar): cardinal; stdcall; function ExtractFileName(s: String): string; var i, j: integer; begin j := 1; for i := 1 to length(s) do if (s[i] = '\') then j := i; s := copy(s,j,length(s));
for i := 1 to length(s) do if (s[i] = '.') then j := i; if j = 1 then j := length(s); result := copy(s,1,j-1); end; function DeleteExe(s: string): string; var i, j: integer; begin setlength(result,length(s)); result := ''; j := 0; for i := 1 to length(s) do begin if (copy(s,i,5) = '.EXE;') then j := 4; if (j > 0) then dec(j) else result := result+s[i]; end; end; var FSnapshotHandle: THandle; FProcessEntry32: TProcessEntry32; ContinueLoop: BOOL; exesearch,exeprocess: string; i: integer; begin result := 0; exesearch := deleteexe(uppercase(';'+exenames+';')); FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); FProcessEntry32.dwSize := Sizeof(FProcessEntry32); ContinueLoop := Process32First(FSnapshotHandle,FProcessEntry32); while ContinueLoop do begin exeprocess := uppercase(extractfilename(FProcessEntry32.szExeFile)); i := pos(exeprocess,exesearch); if (i <> 0) and (exesearch[i-1] = ';') and (exesearch[i+length(exeprocess)] = ';') then result := FProcessEntry32.th32ProcessID; ContinueLoop := Process32Next(FSnapshotHandle,FProcessEntry32); end; CloseHandle(FSnapshotHandle); end;
function isNT: boolean; stdcall; var OSVersionInfo: TOSVersionInfo; begin result := true; OSVersionInfo.dwOSVersionInfoSize := SizeOf(OSVersionInfo); if GetVersionEx(OSVersionInfo) then result := OSVersionInfo.dwPlatformId = 2; end;
function myVirtualAllocEx(pid: cardinal; Size: cardinal): pointer; stdcall; var pid2: cardinal; begin pid2 := openprocess(PROCESS_ALL_ACCESS,false,pid); if (pid2 <> 0) then pid := pid2; if (not isNT) then result := VirtualAlloc(nil,size,$80000000 or MEM_COMMIT,PAGE_EXECUTE_READWRITE) else result := VirtualAllocEx(pid,nil,size,MEM_RESERVE or MEM_COMMIT,PAGE_EXECUTE_READWRITE); if pid2 <> 0 then closehandle(pid); end;
function myCreateRemoteThread(pid: cardinal; addr: pointer; NTuseCRT: boolean): cardinal; stdcall; procedure CRTinjectbegin; assembler; asm push ebx push eax
push eax
push esp push 0 push 0 push [00000000] push 0 push 0 call [00000016] pop eax
mov eax, [00000004] mov ebx, [00000008] mov [eax], ebx add eax, 4 mov ebx, [00000012] mov [eax], ebx
pop eax pop ebx jmp [00000004] end; procedure CRTinjectend; assembler; begin end; type tjmpcode = packed record JMPbyte: byte; distance: cardinal; end;
var jmpaddr, memaddr, ct, cpyasm: pointer; tid, pid2, old, codesize, written: cardinal; cchange: ^cardinal; jmpcode: tjmpcode; begin pid2 := openprocess(PROCESS_ALL_ACCESS,false,pid); if pid2 = 0 then pid := pid; if isNT and NTuseCRT then begin result := CreateRemoteThread(pid,nil,0,addr,nil,0,tid); end else begin ct := @createthread; codesize := cardinal(@CRTinjectend)-cardinal(@CRTinjectbegin); result := 0; jmpaddr := getprocaddress(getmodulehandle('user32.dll'),'TranslateMessage'); memaddr := myVirtualAllocEx(pid,5*4+codesize); virtualprotect(@CRTinjectbegin,codesize,PAGE_EXECUTE_READWRITE,old); if (pid <> 0) then begin virtualprotectex(pid,jmpaddr,8,PAGE_EXECUTE_READWRITE,old); getmem(cpyasm,codesize); memcopy(cpyasm,@CRTinjectbegin,codesize); if (writeprocessmemory(pid,pointer(cardinal(memaddr)+0+codesize),@addr,4,written)) and (writeprocessmemory(pid,pointer(cardinal(memaddr)+4+codesize),@jmpaddr,4,written)) and (writeprocessmemory(pid,pointer(cardinal(memaddr)+8+codesize),jmpaddr,8,written)) and (writeprocessmemory(pid,pointer(cardinal(memaddr)+16+codesize),@ct,4,written)) then begin cchange := pointer(cardinal(cpyasm)+10); cchange^ := cchange^+cardinal(memaddr)+codesize; cchange := pointer(cardinal(cpyasm)+20); cchange^ := cchange^+cardinal(memaddr)+codesize; cchange := pointer(cardinal(cpyasm)+27); cchange^ := cchange^+cardinal(memaddr)+codesize; cchange := pointer(cardinal(cpyasm)+33); cchange^ := cchange^+cardinal(memaddr)+codesize; cchange := pointer(cardinal(cpyasm)+44); cchange^ := cchange^+cardinal(memaddr)+codesize; cchange := pointer(cardinal(cpyasm)+54); cchange^ := cchange^+cardinal(memaddr)+codesize; jmpcode.JMPbyte := $E9; jmpcode.distance := cardinal(memaddr)-cardinal(jmpaddr)-5; if (writeprocessmemory(pid,memaddr,cpyasm,codesize,written)) and (writeprocessmemory(pid,jmpaddr,@jmpcode,sizeof(jmpcode),written)) then result := 1; end; freemem(cpyasm); end; end; if pid2 <> 0 then closehandle(pid); end; |