📄 qqjnject.txt
字号:
注入QQ的进程
EXE部分代码:
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls,tlhelp32;
type
TForm1 = class(TForm)
Button1: TButton;
procedure Button1Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
implementation
{ $R *.dfm }
procedure findaprocess(const afilename:string; const pathmatch:boolean; var processid:DWORD);
var
lppe:TProcessEntry32;
sshandle:THandle;
Foundaproc,foundok:boolean;
begin
processid:=0;
sshandle:=createtoolhelp32snapshot(TH32CS_snapprocess,0);
foundaproc:=process32first(sshandle,lppe);
while foundaproc do
begin
if pathmatch then
foundok:=ansistricomp(lppe.szexefile,pchar(afilename))=0
else
foundok:=ansistricomp(pchar(extractfilename(lppe.szExeFile)),pchar(extractfilename(afilename)))=0;
if foundok then
begin
processid:=lppe.th32ProcessID;
break;
end;
foundaproc:=process32next(sshandle,lppe);
end;
closehandle(sshandle);
end;
function enabledebugprivilege(const benable:boolean):boolean;
var
htoken:thandle;
tp:token_privileges;
a:dword;
const
se_debug_name='sedebugprivilege';
begin
result:=false;
if(openprocesstoken(getcurrentprocess(),token_adjust_privileges,htoken)) then
begin
tp.PrivilegeCount:=1;
lookupprivilegevalue(nil,se_debug_name,tp.privileges[0].luid);
if benable then
tp.Privileges[0].Attributes:=SE_PRIVILEGE_ENABLED
else
tp.Privileges[0].Attributes:=0;
a:=0;
adjusttokenprivileges(htoken,false,tp,sizeof(tp),nil,a);
result:=getlasterror=error_success;
closehandle(htoken);
end;
end;
function attachtoprocess(const hostfile,guestfile:string;const PID:DWORD=0):DWORD;
var
hremoteprocess:Thandle;
dwremoteprocessid:Dword;
cb:dword;
pszlibfileremote:pointer;
ireturncode:boolean;
tempvar:dword;
pfnstartaddr:tfnthreadstartroutine;
pszlibafilename:pwidechar;
begin
Result := 0;
enabledebugprivilege(true);
Getmem(pszLibAFilename, Length(GuestFile) * 2 + 1);
StringToWideChar(GuestFile, pszLibAFilename, Length(GuestFile) * 2 + 1);
if PID > 0 then
dwRemoteProcessID := PID
else
FindAProcess(HostFile, False, dwRemoteProcessID);
//hremoteprocess:=openprocess(PROCESS_CREATE_THREAD+process_vm_operation+process_vm_write,false,dwremoteprocessid);
hRemoteProcess := OpenProcess(PROCESS_CREATE_THREAD + { 允许远程创建线程 }
PROCESS_VM_OPERATION + { 允许远程VM操作 }
PROCESS_VM_WRITE, { 允许远程VM写 }
FALSE, dwRemoteProcessId);
cb := (1 + lstrlenW(pszLibAFilename)) * sizeof(WCHAR);
pszLibFileRemote := PWIDESTRING(VirtualAllocEx(hRemoteProcess, nil, cb, MEM_COMMIT, PAGE_READWRITE));
TempVar := 0;
iReturnCode := WriteProcessMemory(hRemoteProcess, pszLibFileRemote, pszLibAFilename, cb, TempVar);
if iReturnCode then
begin
pfnStartAddr:=GetProcAddress(GetModuleHandle('Kernel32'),'LoadLibraryW');
tempvar:=0;
result:=createremotethread(hremoteprocess,nil,0,pfnstartaddr,pszlibfileremote,0,tempvar)
end;
freemem(pszlibafilename);
end;
procedure TForm1.Button1Click(Sender: TObject);
begin
AttachToProcess('QQ.exe', extractfilepath(paramstr(0))+'Project2.dll');
end;
end.
DLL代码:
unit UnitDll;
interface
uses
SysUtils,
Classes,
Windows,
Dialogs;
var
hThreadHandle: Dword;
dwThreadID: Dword;
implementation
{ 在左上角显示时间 }
procedure ThreadProc;
var
hScreenDC: hdc;
SystemTime: _SYSTEMTIME;
Temp: string;
MyOutput: PChar;
begin
while true do
begin
Sleep(100);
hScreenDC := GetDC(0);
GetLocalTime(SystemTime);
Temp := format('Current Time is %d-%d-%d %d:%d:%d', [SystemTime.wYear,
SystemTime.wMonth,
SystemTime.wDay,
SystemTime.wHour,
SystemTime.wMinute,
SystemTime.wSecond]);
MyOutPut := Pchar(temp);
TextOut(hScreenDC, 0, 0, MyOutPut, lstrlen(MyOutPut));
ReleaseDC(0, hScreenDC);
end;
end;
initialization
hThreadHandle := CreateThread(nil, 0, @ThreadProc, nil, 0, dwThreadID);
finalization
if (hThreadHandle <> 0) then
TerminateThread(hThreadHandle, 0);
end.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -