首页
社区
课程
招聘
pascal版的野猪力量[分享]
发表于: 2006-12-12 18:06 7627

pascal版的野猪力量[分享]

2006-12-12 18:06
7627

shoooo大虾 写了个野猪力量
http://bbs.pediy.com/showthread.php?&threadid=33710
这个是VC写的,我没事拿Pascal重写了一遍
just 4 fun


[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

上传的附件:
收藏
免费 7
支持
分享
最新回复 (5)
雪    币: 224
活跃值: (147)
能力值: ( LV9,RANK:970 )
在线值:
发帖
回帖
粉丝
2
program Project1;

uses
  sysutils,windows,tlhelp32;

{$R *.res}
var
  data1:array[0..25] of byte = (
        $E8, $00, $00, $00,
        $00, $5D, $83, $ED,
        $05, $8D, $45, $30,
        $50, $FF, $95, $30,
        $01, $00, $00, $05,
        $00, $10, $00, $00,
        $FF, $E0
  );
  data2:array[0..35] of byte = (
        $E8, $00, $00, $00,
        $00, $5D, $83, $ED,
        $05, $8D, $45, $30,
        $50, $FF, $95, $34,
        $01, $00, $00, $50,
        $50, $FF, $95, $38,
        $01, $00, $00, $FF,
        $95, $38, $01, $00,
        $00, $C2, $04, $00
  );
//Adjust process Privilege for injection
procedure AdjustPrivilege(pid:integer; bEnable:boolean);
var
  hProcess:THANDLE;
  hToken:THANDLE;
  tkp,PrevTokenPriv: TTokenPrivileges;
  ReturnLength: DWORD;

begin
  tkp.PrivilegeCount := 1;
  tkp.Privileges[0].Attributes := 0;
  if (bEnable=true) then
  begin
    tkp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
  end;
  if (LookupPrivilegeValue(nil, 'SeDebugPrivilege', tkp.Privileges[0].Luid)=true) then
  begin

          hProcess := OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
          if (hProcess>0) then
          begin
                  if (  OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken)=true  ) then
                  begin
                      if (AdjustTokenPrivileges(hToken, FALSE, tkp, SizeOf(TTOKENPRIVILEGES), PrevTokenPriv, ReturnLength)=true) then
                          begin
                            CloseHandle(hToken);
                          end;
                  end;
                  CloseHandle(hProcess);
          end;
  end;
end;

//Find Explorer Process
function FindExplorer():DWORD;
var
        hC:THANDLE;
        Next:boolean;
        p32:PROCESSENTRY32;
begin
        hC   := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
        Next := Process32First(hC, p32);
        while (Next)  do
        begin
                if (StrIComp(p32.szExeFile, 'EXPLORER.EXE') = 0) then
                begin
                  result := p32.th32ProcessID;
                  exit;
                end;
                Next := Process32Next(hC, p32);
        end;
        CloseHandle(hC);
        result:= 0;
end;

//MakeData1
procedure MakeData1(Address:pointer);
var
szFileName:array[0..MAX_PATH] of char;
begin
        GetCurrentDirectory(MAX_PATH, szFileName);
        StrCat(szFileName, '\ollydbg.exe');
       
        StrCopy(pchar(Address)+$30, szFileName);
        PDWORD(pchar(Address)+$130)^ := DWORD(GetProcAddress(GetModuleHandle('kernel32'), 'LoadLibraryA'));
        PDWORD(pchar(Address)+$134)^ := DWORD(GetProcAddress(GetModuleHandle('kernel32'), 'GetModuleHandleA'));
        PDWORD(pchar(Address)+$138)^ := DWORD(GetProcAddress(GetModuleHandle('kernel32'), 'FreeLibrary'));
  CopyMemory(Address, @data1, sizeof(data1));

end;

//MakeData2
procedure MakeData2(Address:pointer);
begin
  CopyMemory(Address, @data2, sizeof(data2));
end;

//OEP
var
        PID:DWORD;
        hProcess:THANDLE;
        hThread:THANDLE;
        LocalAddress:PBYTE;
        RemoteAddress:PBYTE;
        temp:DWORD;
begin
        AdjustPrivilege(GetCurrentProcessId(), TRUE);
        PID := FindExplorer();
        if (PID = 0) then
        begin
                exit;
        end;
       
        hProcess := OpenProcess(PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE, FALSE, PID);
        if (hProcess = 0) then
        begin
                exit;
        end;
       
        LocalAddress  := PBYTE(VirtualAlloc(nil, $1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE));
        RemoteAddress := PBYTE(VirtualAllocEx(hProcess, nil, $1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE));
       
        MakeData1(LocalAddress);
       
        WriteProcessMemory(hProcess, RemoteAddress, LocalAddress, $1000, temp);
        hThread := CreateRemoteThread(hProcess, nil, 0, RemoteAddress, nil, 0, temp);
       
        WaitForSingleObject(hThread, INFINITE);
        CloseHandle(hThread);
       
        MakeData2(LocalAddress);
        WriteProcessMemory(hProcess, RemoteAddress, LocalAddress, $1000, temp);
       
        hThread := CreateRemoteThread(hProcess, nil, 0, RemoteAddress, nil, 0, temp);
        WaitForSingleObject(hThread, INFINITE);
        VirtualFree(LocalAddress, 0, MEM_RELEASE);
        VirtualFreeEx(hProcess, RemoteAddress, 0, MEM_RELEASE);   
end.

不错,帮你把代码贴上来
2006-12-12 18:18
0
雪    币: 303
活跃值: (466)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
能否把kanxue修改的OLLICE注入
2006-12-12 21:20
0
雪    币: 405
活跃值: (10)
能力值: ( LV9,RANK:1130 )
在线值:
发帖
回帖
粉丝
4
pascal语言原来也挺厉害的。好东西
2006-12-13 10:32
0
雪    币: 615
活跃值: (1202)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
5
?\      /?
  野猪的力量.
?/      \?..
2006-12-13 11:32
0
雪    币: 2943
活跃值: (1788)
能力值: ( LV9,RANK:850 )
在线值:
发帖
回帖
粉丝
6
草原猎豹  真有N年没有出来了!!
2006-12-13 20:08
0
游客
登录 | 注册 方可回帖
返回
//