From
Changuity Really
Library TestDLL;
Uses
SYSUTILS,
SYSTEM,
Windows,
Classes;
Procedure log (s: pchar); stdcall;
VAR
F: TextFile;
Begin
AssignFile (f, 'test.txt');
If FileExists ('Test.txt') THEN APPEND (F)
Else Rewrite (f);
Writeln (f, s);
Closefile (f);
END;
Procedure DllenTryPoint (dwreason: dword);
Begin
Case dwreason
DLL_PROCESS_ATTACH:
Log ('DLL Process Attach');
DLL_PROCESS_DETACH:
Log ('DLL Process Detach');
DLL_THREAD_ATTACH:
LOG ('DLL Thread Attach');
DLL_THREAD_DETACH:
LOG ('DLL Thread Detach');
END;
END;
Exports
Log;
Begin
DllProc: = @dllentrypoint;
DLLLENTRYPOINT (DLL_PROCESS_ATTACH);
End.
The injected host process prjzzhost.exe (it doesn't work, so I don't give a code here, because it is too simple, haha.
Finally, the most important come:
Project1.exe source code:
code
Unit unit1;
Interface
Uses
Windows, Messages, Sysutils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, Stdctrls, Tlhelp32;
Type
TLOG = procedure (s: pchar); stdcall;
TSERVICEMAIN = procedure (argc: integer; var argv: pchar); stdcall;
EDLLOADERROR = Class (Exception);
TFORM1 = Class (TFORM)
Button3: tbutton;
Procedure Button3Click (Sender: TOBJECT);
Private
{Private Declarations}
public
{Public declarations}
END;
VAR
FORM1: TFORM1;
IMPLEMentation
{$ R * .dfm}
{Listing process}
Procedure getmyProcessId (const); control; var processid: DWORD);
VAR
LPPE: TPROCESSENTRY32;
SSHANDLE: THANDLE;
Foundaproc, Foundok: Boolean;
Begin
ProcessID: = 0;
{Creation system snapshot}
SSHANDLE: = CreateToolHelp32Snapshot (TH32CS_SNAPPROCESS, 0);
{Get the first process of snapshot}
{Must set the size of the structure, otherwise it will return false}
LPPE.DWSIZE: = Sizeof (TProcesSsentry32);
Foundaproc: = Process32First (Sshandle, LPPE);
While Foundaproc DO
Begin
{Match} if pathmatch then
Foundok: = ansistricomp (lppe.szexefile, pchar (afilename) = 0
Else
Foundok: = ansistricomp (pchar (extractfilename (lppe.szeexefile), pchar (extraventfileename)) = 0;
IF Foundok Then
Begin
ProcessID: = lppe.th32processid;
Break;
END;
{Not found, continue next process}
FOUNDAPROC: = Process32Next (SSHANDLE, LPPE);
END;
Closehandle (SSHANDLE);
END;
{ Setting permissions }
Function enableddebugprivilege (const enabled: boolean): boolean;
VAR
HTK: THANDLE; {Open token handle}
RTNTemp: DWORD; {Narrows returned when the permissions}
Tokenpri: Token_Privileges;
Const
SE_Debug = 'sedebugprivilege'; {Query value}
Begin
Result: = FALSE;
{Get Process Token Handle, Set Permissions}
IF (GetProcessToken (GetCurrentProcess (), Token_adjust_privileges, htk) THEN
Begin
Tokenpri.Privilegect: = 1;
{Get Luid value}
LookuppprivileValue (nil, se_debug, tokenpri.privileges [0] .luid);
IF enabled then
TokenPri.Privileges [0] .attributes: = SE_PRIVILE_ENENABED
Else
Tokenpri.Privileges [0] .attributes: = 0;
RTNTEMP: = 0;
{Set new permissions}
AdjustTokenPrivileges (HTK, False, Tokenpri, Sizeof (Tokenpri), NIL, RTNTemp);
Result: = getLastError = Error_suCcess;
CloseHandle (HTK);
END;
END;
{Debug function}
Procedure OutputText (VAR CH: PCHAR);
VAR
FileHandle: TextFile;
Begin
Assignfile (FileHandle, 'zztest.txt');
Append (filehandle);
Writeln (FileHandle, CH);
Flush (FileHandle);
Closefile (FileHandle);
END;
{Injection remote process}
Function InjectTo (Const Host, Guest: string; const pid: dword = 0): DWORD;
VAR
{Irotive process handle, process ID}
HREMOTEPROCESS: THANDLE;
DWREMOTEPROCESSID: DWORD;
{Write to the content size of the remote process}
Memsize: DWORD;
{Add to the address after the remote process}
Pszlibfileremote: POINTER;
IReturNCode: boolean;
Tempvar: DWORD;
{Point to function loadLibraryw's address}
PfnStartaddr: TFNTHREADSTARTROUTINE; {DLL full path, you need to write to the memory of the remote process to go}
Pszlibafilename: pwidechar;
Begin
Result: = 0;
{ Setting permissions }
Enableddebugprivilege (TRUE);
{Assign the memory size for the injected DLL file path, because it is widechar, so take 2}
GetMem (pszlibafilename, length (guest) * 2 1);
StringTowidechar (Guest, Pszlibafilename, Length (Guest) * 2 1);
{Get Process ID}
IF PID> 0 THEN
DWRemoteProcessid: = PID
Else
GetMyProcessId (Host, False, DwremoteProcessid);
{Get a remote process handle, have write authority}
HREMOTEPROCESS: = OpenProcess (Process_create_thread {Allow Remote Creating Threads}
Process_vm_operation {Allow Remote VM Operation}
Process_vm_write, {Allow Remote VM Write}
False, dwremoteprocessid;
{Function VirtualaLalkEx allocates space in remote process, and write DLL path in WriteProcessMemory}
Memsize: = (1 lstrlenw (pszlibafilename) * Sizeof (Wchar);
PszlibfileRemote: = PWIDESTRING (VirtualaLalkEx (HremoteProcess, NIL, Memsize, Mem_Commit, Page_Readwrite);
Tempvar: = 0;
IReturNCode: = WriteProcessMemory (HREMOTEPROCESS, PSZLIBFILEMOTE, PSZLIBAFILENAME, MEMSIZE, TEMPVAR);
IReturNCode Then
Begin
PfnStartaddr: = getProcaddress (GetModuleHandle ('kernel32'), 'loadLibraryw');
Tempvar: = 0;
{Start DLL} in the remote process
Result: = CreateRemoteThread (HremoteProcess, NIL, 0, PfnStartaddr, PszlibfileRemote, 0, Tempvar);
END;
{Release memory space}
FreeMem (pszlibafilename);
END;
{Test}
Procedure TFORM1.BUTTON3CLICK (Sender: TOBJECT);
Begin
INJECTTTO ('prjzhost.exe', extractfilepath (paramstr (0)) 'Testdll.dll');
END;
End.
