首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 编程技术
    3. 发新帖
[求助]不用WriteProcessMemory,不用OpenProcess注入,求Delphi高手加个注释
发表于: 2013-6-26 12:49 6790

[求助]不用WriteProcessMemory,不用OpenProcess注入,求Delphi高手加个注释

赵建新 活跃值
2013-6-26 12:49
6790
unit prjBypass;

interface

uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, tlhelp32;

type
TForm1 = class(TForm)
btn2: TButton;
lbl1: TLabel;
procedure btn2Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
function OpenThread(dwDesiredAccess: DWord;
bInheritHandle: Bool;
dwThreadId: DWord): DWord; stdcall; external 'kernel32.dll';
function DebugSetProcessKillOnExit(KillOnExit: boolean):boolean; stdcall;external 'kernel32.dll';
var
Form1: TForm1;

implementation

{$R *.dfm}

function HexToInt(HexNum: string): LongInt;
begin
Result:=StrToInt('$' + HexNum);
end;

function WaitForData(dDebug:TDebugEvent):Boolean;
begin
Result := True;
repeat
WaitForDebugEvent(dDebug,INFINITE);
if dDebug.dwDebugEventCode = EXCEPTION_DEBUG_EVENT then
if dDebug.Exception.ExceptionRecord.ExceptionCode = EXCEPTION_SINGLE_STEP then
break;
if dDebug.dwDebugEventCode = EXIT_PROCESS_DEBUG_EVENT then begin
Result := False;
Exit;
end;
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);
until 1=3;
end;

procedure TForm1.btn2Click(Sender: TObject);
var
pi: TProcessInformation;
si: TStartupInfo;
context:_CONTEXT;
dDebug:TDebugEvent;
dwOEP, dwESP, dwEAX, dwECX, dwEBP, dwEDI, dwEBX, dwEDX:DWORD;
begin
FillMemory( @si, sizeof( si ), 0 );
si.cb := sizeof( si );
context.ContextFlags:=CONTEXT_FULL or CONTEXT_FLOATING_POINT or CONTEXT_DEBUG_REGISTERS;
If CreateProcess(Nil,PChar('notepad.exe'),Nil, Nil, False,DEBUG_PROCESS, Nil, Nil, si, pi ) then
begin

repeat
WaitForDebugEvent(dDebug,INFINITE);
if dDebug.dwDebugEventCode = CREATE_PROCESS_DEBUG_EVENT then
break;
if dDebug.dwDebugEventCode = EXIT_PROCESS_DEBUG_EVENT then
Exit;
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);
until 1=3;

//Set BP on OEP
GetThreadContext(pi.hThread,context);
dwOEP := context.EAX;
context.Dr0 := dwOEP;
context.Dr7 := 1;
SetThreadContext(pi.hThread,context);
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);

if WaitForData(dDebug) = false then
Exit;

//We are at OEP
//Save Registers, change EIP to push eax
GetThreadContext(pi.hThread,context);
if context.Eip = dwOEP then begin
context.Dr0 := 0;
context.Dr7 := 0;
//Save Registers
dwEBP := context.Ebp;
dwEAX := context.Eax;
dwEBX := context.Ebx;
dwECX := context.Ecx;
dwEDX := context.Edx;
dwESP := context.Esp;
dwEDI := context.Edi;
context.Eax := HexToInt('00796568');
context.Eip := HexToInt('01007505');
context.EFlags := Context.EFlags or $0100;
SetThreadContext(pi.hThread,context);
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);
end else
Exit;

if WaitForData(dDebug) = false then
Exit;

//Mov eax, esp
//Push 0
GetThreadContext(pi.hThread,context);
context.Eip := HexToInt('01002290');
context.Eax := context.Esp;
context.EFlags := Context.EFlags or $0100;
SetThreadContext(pi.hThread,context);
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);

if WaitForData(dDebug) = false then
Exit;

//push eax
GetThreadContext(pi.hThread,context);
context.Eip := HexToInt('01001B18');
context.EFlags := Context.EFlags or $0100;
SetThreadContext(pi.hThread,context);
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);

if WaitForData(dDebug) = false then
Exit;

//push eax
GetThreadContext(pi.hThread,context);
context.Eip := HexToInt('01001B18');
context.EFlags := Context.EFlags or $0100;
SetThreadContext(pi.hThread,context);
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);

if WaitForData(dDebug) = false then
Exit;

//Push 0
GetThreadContext(pi.hThread,context);
context.Eip := HexToInt('01002290');
context.EFlags := Context.EFlags or $0100;
SetThreadContext(pi.hThread,context);
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);

if WaitForData(dDebug) = false then
Exit;

//mov eax, messagebox
//call eax
GetThreadContext(pi.hThread,context);
context.Eax := DWORD(GEtProcAddress(LoadLibrary('user32.dll'),'MessageBoxA'));
context.Eip := HexToInt('01002969');
context.Dr0 := context.Eip + 2;
context.Dr7 := 1;
SetThreadContext(pi.hThread,context);
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);

if WaitForData(dDebug) = false then
Exit;

GetThreadContext(pi.hThread,context);
//Save Registers
context.Eax := dwEAX;
context.Ebx := dwEBX;
context.Ecx := dwECX;
context.Edx := dwEDX;
context.Esp := dwESP;
context.Edi := dwEDI;
context.Eip := dwOEP;
context.Ebp := dwEBP;
context.Dr0 := 0;
context.Dr7 := 0;
SetThreadContext(pi.hThread,context);
ContinueDebugEvent(dDebug.dwProcessId,dDebug.dwThreadId,DBG_CONTINUE);

//Detach Process
DebugSetProcessKillOnExit(False);
end;
end;

end.

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (5)
shuxuliang
雪    币: 53
活跃值: (734)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
通过调试函数 捕获异常 改写线程的寄存器达到类似shellcode的目的。
虽然不用OpenProcess,但需要用到OpenThread 。。。。
2013-6-26 13:51
0
赵建新
雪    币: 8
活跃值: (21)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
创建进程,挂起,之后搞了一堆什么代码?
也没见它恢复线程,这个是注入代码吗?
2013-6-26 13:52
0
Rookietp
雪    币: 1042
活跃值: (470)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
修改线程EIP。
2013-6-26 17:50
0
wr960204
雪    币: 126
活跃值: (169)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
5
创建挂起的进程,然后往里面写入一段代码(或者说是ShellCode),这段代码最后一般会跳回原来的地方,然后修改主线程的上下文,把EIP直到这段代码上,唤醒进程.
2013-6-27 12:29
0
山村野人
雪    币: 154
活跃值: (91)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
私信
6
其实就是模仿调速器,单步一行代码后执行下一行代码
2013-6-28 14:35
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//