📄 uallkernel.pas
字号:
unit uallKernel;
interface
uses windows, uallUtil;
function LoadLibraryX(dllname: pchar): integer; stdcall; overload;
function LoadLibraryX(dllname, name: pchar): integer; stdcall; overload;
function CreateRemoteThreadX(pid: cardinal; p: pointer): boolean; stdcall;
function OpenThreadX(access: integer; inherithandle: boolean; tid: integer): integer; stdcall;
function VirtualAllocExX(pid: cardinal; Size: cardinal): pointer; stdcall;
function GetProcAddressX(module: integer; procname: pchar): pointer; stdcall;
function VirtualFreeExX(pid: cardinal; Memaddr: pointer; Size: cardinal): boolean; stdcall;
function GetKernelHandle: integer; stdcall;
function GetOwnModuleHandle: cardinal; stdcall;
function GetRealModuleHandle(addr: pointer): cardinal stdcall;
implementation
uses uallProcess;
function GetRealModuleHandle(addr: pointer): cardinal; stdcall;
var h, i: cardinal;
buf: array[0..255] of char;
begin
h := cardinal(addr) and $FFFF0000;
repeat
i := GetModuleFilename(h,buf,255);
dec(h,$10000);
until (i <> 0) or (h = 0);
if (h = 0) then
result := 0 else
result := h+$10000;
end;
function GetOwnModuleHandle: cardinal; stdcall;
begin
result := GetRealModuleHandle(@GetOwnModuleHandle);
end;
function GetKernelHandle: integer; stdcall;
asm
MOV EAX, FS:[030H]
TEST EAX, EAX
JS @@W9X
@@WNT: MOV EAX, [EAX+00CH]
MOV ESI, [EAX+01CH]
LODSD
MOV EAX, [EAX+008H]
JMP @@K32
@@W9X: MOV EAX, [EAX+034H]
LEA EAX, [EAX+07CH]
MOV EAX, [EAX+03CH]
@@K32:
end;
function GetProcAddressX(module: integer; procname: pchar): pointer; stdcall;
var
DataDirectory: TImageDataDirectory;
P1: ^integer;
P2: ^Word;
Base, NumberOfNames, AddressOfFunctions, AddressOfNames,
AddressOfNameOrdinals, i, Ordinal: integer;
TempStr1, TempStr2: string;
begin
Result := nil;
DataDirectory := PImageNtHeaders(Cardinal(module) +
Cardinal(PImageDosHeader(module)^._lfanew))^.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
P1 := Pointer(module + integer(DataDirectory.VirtualAddress) + 16);
Base := P1^;
P1 := Pointer(module + integer(DataDirectory.VirtualAddress) + 24);
NumberOfNames := P1^;
P1 := Pointer(module + integer(DataDirectory.VirtualAddress) + 28);
AddressOfFunctions := P1^;
P1 := Pointer(module + integer(DataDirectory.VirtualAddress) + 32);
AddressOfNames := P1^;
P1 := Pointer(module + integer(DataDirectory.VirtualAddress) + 36);
AddressOfNameOrdinals := P1^;
Ordinal := 0;
if Cardinal(procname) > $0000FFFF then
begin
TempStr1 := PChar(procname);
for i := 1 to NumberOfNames do
begin
P1 := Pointer(module + AddressOfNames + (i - 1) * 4);
TempStr2 := PChar(module + P1^);
if TempStr1 = TempStr2 then
begin
P2 := Pointer(module + AddressOfNameOrdinals + (i - 1) * 2);
Ordinal := P2^;
Break;
end;
end;
end else
Ordinal := integer(procname) - Base;
if Ordinal <> 0 then
begin
P1 := Pointer(module + AddressOfFunctions + Ordinal * 4);
if (P1^ >= integer(DataDirectory.VirtualAddress)) and
(P1^ <= integer(DataDirectory.VirtualAddress + DataDirectory.Size)) then
begin
TempStr1 := PChar(module + P1^);
TempStr2 := TempStr1;
while Pos('.', TempStr2) > 0 do
TempStr2 := Copy(TempStr2, Pos('.', TempStr2) + 1, Length(TempStr2) - Pos('.', TempStr2));
TempStr1 := Copy(TempStr1, 1, Length(TempStr1) - Length(TempStr2) - 1);
Base := GetModuleHandleA(PChar(TempStr1));
if Base = 0 then
Base := LoadLibrary(PChar(TempStr1));
if Base > 0 then
Result := GetProcAddressX(Base, PChar(TempStr2));
end else Result := Pointer(module + P1^);
end;
end;
function VirtualFreeExX(pid: cardinal; Memaddr: pointer; Size: cardinal): boolean; stdcall;
var pid2: cardinal;
begin
pid2 := OpenProcess(PROCESS_ALL_ACCESS,false,pid);
if (pid2 <> 0) then pid := pid2;
if (not isNT) then
result := VirtualFree(Memaddr,size,MEM_RELEASE) else
result := VirtualFreeEx(pid,Memaddr,size,MEM_RELEASE) <> nil;
if pid2 <> 0 then closehandle(pid2);
end;
function VirtualAllocExX(pid: cardinal; Size: cardinal): pointer; stdcall;
var pid2: cardinal;
begin
pid2 := OpenProcess(PROCESS_ALL_ACCESS,false,pid);
if (pid2 <> 0) then pid := pid2;
if (not isNT) then
result := VirtualAlloc(nil,size,$8000000 + MEM_COMMIT,PAGE_EXECUTE_READWRITE) else
result := VirtualAllocEx(pid,nil,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if pid2 <> 0 then CloseHandle(pid2);
end;
function CreateRemoteThreadX(pid: cardinal; p: pointer): boolean; stdcall;
const THREAD_ALL_ACCESS = $1F03FF;
var tid: cardinal;
lpContext, mycontext: _CONTEXT;
mem: pointer;
written: cardinal;
sizeasm: integer;
heremem: pointer;
c: ^integer;
ended: boolean;
pid2: cardinal;
susp, i, resp: integer;
procedure nothingbegin;
begin
asm
push eax
push esp
push 0
push 0
push $12345678
push 0
push 0
call nothingbegin;
pop eax
end;
while true do;
end;
procedure nothingend; asm end;
begin
if isNT then
begin
pid2 := OpenProcess(PROCESS_ALL_ACCESS,false,pid);
if (pid2 <> 0) then
begin
result := CreateRemoteThread(pid2,nil,0,p,nil,0,tid) <> 0;
CloseHandle(pid2);
end else
begin
result := CreateRemoteThread(pid,nil,0,p,nil,0,tid) <> 0;
CloseHandle(pid);
end;
end else
begin
result := false;
if pid = 0 then
exit;
tid := GetThread(pid);
if tid = 0 then
exit;
tid := OpenThreadX(THREAD_ALL_ACCESS,false,tid);
if tid = 0 then
exit;
resp := integer(SuspendThread(tid));
susp := resp+1;
if susp <> 0 then
for i := 0 to susp-1 do
resp := integer(SuspendThread(tid));
if resp <> -1 then
begin
lpContext.ContextFlags := CONTEXT_FULL;
if GetThreadContext(tid,lpContext) then
begin
pid := OpenProcess(PROCESS_ALL_ACCESS,false,pid);
if pid <> 0 then
begin
sizeasm := integer(@nothingend)-integer(@nothingbegin);
mem := VirtualAllocExX(pid,sizeasm);
heremem := VirtualAlloc(nil,sizeasm,MEM_COMMIT or MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if (mem <> nil) and (heremem <> nil) then
begin
zeroMemory(heremem,sizeasm);
CopyMemory(heremem,@nothingbegin,sizeasm);
c := pointer(integer(heremem)+7);
c^ := integer(p);
c := pointer(integer(heremem)+16);
c^ := integer(getprocaddress(getmodulehandle('kernel32.dll'),'CreateThread'))
-5+1-integer(mem)+integer(heremem)-integer(c);
WriteProcessMemory(pid,mem,heremem,sizeasm,written);
VirtualFree(heremem,sizeasm,MEM_DECOMMIT);
if (integer(written) = sizeasm) then
begin
mycontext := lpcontext;
mycontext.Eip := integer(mem);
if SetThreadContext(tid,mycontext) then
begin
repeat
ended := false;
if integer(ResumeThread(tid)) <> -1 then
begin
Sleep(100);
if integer(SuspendThread(tid)) <> -1 then
if GetThreadContext(tid,mycontext) then
ended := sizeasm-integer(mycontext.Eip)+integer(mem) = 3;
end;
until ended;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -