delphi如何在win7中远程注入代码

一. delphi远程注入Dll文件

1. 首先，您必须找到已经在内存中运行的应用程序（EXE）的PID。以下函数将通过名称获得PID

   function PIDbyName(ProcessName: PWideChar): DWORD;
   var
     ProcessSnap: Int64;
     ProcessEntry32: TProcessEntry32;
   begin
     Result := 0;
     ProcessSnap := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
     if ProcessSnap <> INVALID_HANDLE_VALUE then
       begin
         ProcessEntry32.dwSize := SizeOf(TPROCESSENTRY32);
         if Process32First(ProcessSnap, ProcessEntry32) then
           repeat
             if lstrcmpi(ProcessEntry32.szExeFile, ProcessName) = 0 then
               begin
                 Result := ProcessEntry32.th32ProcessID;
                 CloseHandle(ProcessSnap);
                 exit;
               end;
           until not Process32Next(ProcessSnap, ProcessEntry32);
         Result := 0;
         CloseHandle(ProcessSnap);
       end;
   end;

2. 这是32/64位应用程序的DLL注入函数 Source是DLL，Target是EXE

   function InjectDLL(Source, Target : PWideChar) : boolean;
   var
     dwThreadID: Cardinal;
     hProc, hThread: THandle;
     BytesToWrite, BytesWritten: SIZE_T;
     pRemoteBuffer, pLoadLibrary: Pointer;
   begin
     hProc := OpenProcess(PROCESS_CREATE_THREAD or PROCESS_QUERY_INFORMATION or PROCESS_VM_OPERATION or PROCESS_VM_WRITE or PROCESS_VM_READ, False, PIDbyName(Target));
     if hProc = 0 then exit(false);
     try
       BytesToWrite := SizeOf(WideChar) * (Length(Source) + 1);
       pRemoteBuffer := VirtualAllocEx(hProc, nil, BytesToWrite, MEM_COMMIT,PAGE_READWRITE);
       if pRemoteBuffer = nil then exit(false);
       try
         if not WriteProcessMemory(hProc, pRemoteBuffer, Source, BytesToWrite, BytesWritten) then exit(false);
         pLoadLibrary := GetProcAddress(GetModuleHandle('kernel32.dll'), 'LoadLibraryW');
         hThread := CreateRemoteThread(hProc, nil, 0, pLoadLibrary, pRemoteBuffer, 0, dwThreadID);
         try
           WaitForSingleObject(hThread, INFINITE);
         finally
           Result := true;
           CloseHandle(hThread);
         end;
       finally
         VirtualFreeEx(hProc, pRemoteBuffer, 0, MEM_RELEASE);
       end;
     finally
         CloseHandle(hProc);
     end;
   end;

3. 简单的DLL

   library testDLL;
    
   uses
     System.SysUtils,
     System.Classes,
     Winapi.Windows;
    
   {$R *.res}
    
   procedure DLLEntryPoint(dwReason: DWord);
   var
     DLLHandle : DWORD;
   begin
     case dwReason of
       DLL_PROCESS_ATTACH:
         MessageBox(DLLHandle, 'Process Attach', 'Info', mb_Ok);
       DLL_PROCESS_DETACH:
         MessageBox(DLLHandle, 'Process Detach', 'Info', mb_Ok);
     end;
   end;
    
   begin
     DllProc := @DLLEntryPoint;
     DllEntryPoint(DLL_PROCESS_ATTACH);
   end.

   用法：InjectDLL(‘testDLL.dll’, ‘yourapplication.exe’)

   二. delphi远程直接注入代码执行(非DLL插入是代码注入)

   //-------------------------注入代码的函数----------------------------  
   {参数说明: 
   InHWND:被注入的窗口句柄 
   Func:注入的函数的指针 
   Param:参数的指针 
   ParamSize:参数的大小 
   }  
   procedure InjectFunc(InHWND: HWND; Func: Pointer; Param: Pointer; ParamSize: DWORD);  
   var  
       hProcess_N: THandle;  
       ThreadAdd, ParamAdd: Pointer;  
       hThread: THandle;  
       ThreadID: DWORD;  
       lpNumberOfBytes:DWORD;  
   begin  
       GetWindowThreadProcessId(InHWND, @ThreadID);    //获得窗口ID  
       hProcess_N := OpenProcess(PROCESS_ALL_ACCESS, False, ThreadID);//打开被注入的进程  
       ThreadAdd := VirtualAllocEx(hProcess_N, nil, 4096, MEM_COMMIT, PAGE_READWRITE);    //申请写入代码空间  
       WriteProcessMemory(hProcess_N, ThreadAdd, Func, 4096, lpNumberOfBytes); //写入函数地址  
       ParamAdd := VirtualAllocEx(hProcess_N, nil, ParamSize, MEM_COMMIT, PAGE_READWRITE);    //申请写入代码参数空间  
       WriteProcessMemory(hProcess_N, ParamAdd, Param, ParamSize, lpNumberOfBytes); //写入参数地址  
       hThread := CreateRemoteThread(hProcess_N, nil, 0, ThreadAdd, ParamAdd, 0, lpNumberOfBytes); //创建远程线程  
       ResumeThread(hThread); //直接运行线程  
       CloseHandle(hThread); //关闭线程  
       VirtualFreeEx(hProcess_N, ThreadAdd, 4096, MEM_RELEASE);  
       VirtualFreeEx(hProcess_N, ParamAdd, ParamSize, MEM_RELEASE); //释放申请的地址  
       CloseHandle(hProcess_N); //关闭打开的句柄  
   end;  
   //-----------------------------定义一个参数类型-----------------------  
   type  
       TPickCallParam = packed record  
         ax, ay: single;  
       end;  
       PPickCallParam = ^TPickCallParam;    //指向结构的指针(C中叫这种方式的数据应该叫结构体吧)  
   procedure runCall(p:PPickCallParam);stdcall;    // 走路call  
   var  
   addres,addres1,addres2:pointer;  
   x,y:single;  
   begin  
         addres:=pointer($0045ec00);  
         addres1:=pointer($00462620);  
         addres2:=pointer($0045f000);  
         x:=p^.ax;              //目的地X坐标  
         y:=p^.ay;            //目的地Y坐标  
         asm  
         pushad  
           mov      eax, dword ptr [$8f207c]  
           mov      eax, dword ptr [eax+$1C]  
           mov      esi, dword ptr [eax+$20]  
           mov      ecx, dword ptr [esi+$ba0]  
           push      1  
           call      addres  
           mov      edi, eax  
           lea      eax, dword ptr [esp+$18]  
           push      eax  
           push      0  
           mov      ecx, edi  
           call      addres1  
           push      0  
           push      1  
           push      edi  
           mov      ecx, dword ptr [esi+$ba0]  
           push      1  
           call      addres2  
           mov      eax, dword ptr [$8f207c]  
           mov      eax, dword ptr [eax+$1C]  
           mov      eax, dword ptr [eax+$20]  
           mov      eax, dword ptr [eax+$ba0]  
           mov      eax, dword ptr [eax+$30]  
           mov      ecx, dword ptr [eax+4]  
           mov      eax, x  
           mov      [ecx+$20], eax  
           mov      eax, y  
           mov      [ecx+$28], eax  
         popad  
         end;  
   END;  
   procedure TForm1.Button1Click(Sender: TObject);//在控件中做个按钮 测试  
   var  
         CallParam:TPickCallParam;  
   begin;  
       getmem(pname,33);  
       myhwnd := FindWindow(nil,'Element Client');{查找窗口句柄}  
       GetWindowThreadProcessId(myhwnd, aproc); {得到窗口ID}  
       phnd := OpenProcess(PROCESS_VM_READ , False, aproc);{以完全访问权限打开进程句柄}  
       if (phnd<>0 ) then  
       begin  
         CallParam.ax:= 1860.0;    //给注入代码函数赋值  
         CallParam.ay:=120.0;      //给注入代码函数赋值  
         InjectFunc(myhWnd,@runCall,@CallParam,SizeOf(CallParam)); //运行注入代码函数  
         sleep(100);  
         CloseHandle(PHND) //关闭进程  
       end;  
   end;   

   三. 远程代码或DLL注入x86/x64/Win2k/win7~Win8.1 64位全可用(最重要的隆重登场)

   上面的一和二远程注入，在win7 64位系统下，不能成功注入service服务程序，下面代码实现在64位系统,可以注入系统进程，服务进程等!看关键函数NtCreateThreadEx，而在win7 64位下的注入问题http://forum.sources.ru/index.php?showtopic=313636有相应讨论

   program Inject;
    
   {$APPTYPE CONSOLE}
    
    
   {$IF CompilerVersion >= 21.0}
   {$WEAKLINKRTTI ON}
   {$RTTI EXPLICIT METHODS([]) PROPERTIES([]) FIELDS([])}
   {$IFEND}
    
   uses
    Winapi.Windows;
    
   Type
    NtCreateThreadExProc = Function(Var hThread:THandle; Access:DWORD; Attributes:Pointer; hProcess:THandle; pStart:Pointer; pParameter:Pointer; Suspended:BOOL; StackSize, u1, u2:DWORD; Unknown:Pointer):DWORD; stdcall; 
    
    
   Function CheckOs():Boolean;
   Var
    lpVersionInformation :TOSVersionInfoW;
   begin
    Result := False;
    if GetVersionExW(lpVersionInformation) then
    begin
    if lpVersionInformation.dwPlatformId = VER_PLATFORM_WIN32_NT Then
    begin
    if (lpVersionInformation.dwMajorVersion < 6) then
    begin
    Result := True;
    end; 
    end; 
    end;
   end;
    
   Function EnableDebugPrivilege():Boolean;
   Var
    hToKen :THandle;
    TokenPri :TTokenPrivileges;
   begin
    Result := False;
    if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES, hToKen)) Then
    begin
    TokenPri.PrivilegeCount := 1;
    If LookupPrivilegeValueW(Nil, 'SeDebugPrivilege', TokenPri.Privileges[0].Luid) Then
    begin
    TokenPri.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
    Result := AdjustTokenPrivileges(hToken, False, TokenPri, SizeOf(TTokenPrivileges), Nil, PDWORD(Nil)^);
    end Else Writeln('LookupPrivilege Error');
    CloseHandle(hToKen);
    end;
   end;
    
   Function RemoteThread(hProcess:THandle; pThreadProc:Pointer; pRemote:Pointer):THandle;
   Label NtCreate, Create;
   Var
    pFunc :Pointer;
    hThread :THandle;
   begin
    hThread := 0;
    if Not CheckOs() then //根据系统版本来选择使用的API
    begin
    NtCreate:
    pFunc := GetProcAddress(LoadLibraryW('ntdll.dll'), 'NtCreateThreadEx');
    if pFunc = Nil then Goto Create; 
    NtCreateThreadExProc(pFunc)(hThread, $1FFFFF, Nil, hProcess, pThreadProc, pRemote, False, 0, 0, 0, Nil);
    if hThread = 0 then Goto Create;
    end Else
    begin
    Create:
    hThread := CreateRemoteThread(hProcess, Nil, 0, pThreadProc, pRemote, 0, PDWORD(Nil)^); 
    end;
    Writeln('RemoteThread Ok!');
    Result := hThread;
   end; 
    
   Function InjectDll2Pid(szPath:PWideChar; uPID:DWORD):Boolean;
   Var
    hProcess :THandle;
    hThread :THandle;
    szRemote :PWideChar;
    uSize :SIZE_T;
    uWrite :SIZE_T;
    pStartAddr:Pointer;
   begin
    Result := False;
    if EnableDebugPrivilege then
    begin //先提升下进程的权限
    hProcess := OpenProcess(PROCESS_ALL_ACCESS, false, uPID);
    if hProcess > 0 then
    begin
    uSize := lstrlenW(szPath) * 2 + 4;
    szRemote := VirtualAllocEx(hProcess, Nil, uSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    if WriteProcessMemory(hProcess, szRemote, szPath, uSize, uWrite) And (uWrite = uSize) then
    begin
    pStartAddr := GetProcAddress(LoadLibrary('Kernel32.dll'), 'LoadLibraryW');
    hThread := RemoteThread(hProcess, pStartAddr, szRemote);
    Result := hThread <> 0;
    CloseHandle(hThread);
    end Else
    begin
    Writeln('WriteMemory Error');
    end; 
    end; 
    end; 
   end; 
    
   Function StrToInt(S: String): Integer;
   Var
    E: Integer;
   Begin
    Val(S, Result, E);
   End;
    
   begin
    InjectDll2Pid(PWideChar(ParamStr(2)), StrToInt(ParamStr(1)));
   end.

   NtCreateThreadEx注入注意事项：

   64位的进程，只能使用64位的dll注入,注入程序本身也必须编译为64位程序，32位的进程，只能使用32位的dll注入，注入程序本身编译为32位程序，不然会注入不成功!比如你把程序编译为32程序，想在win7 64位下往services.exe注入，是不会成功的，services.exe在win7 64位下是64位程序!