pascal版的野猪力量[分享]-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (5)
wynney 雪币： 224 活跃值： (147) 能力值： ( LV9，RANK：970 ) 在线值：发帖 65 回帖 1109 粉丝 7 关注私信	wynney 24 2 楼 program Project1; uses sysutils,windows,tlhelp32; {$R *.res} var data1:array[0..25] of byte = ( $E8, $00, $00, $00, $00, $5D, $83, $ED, $05, $8D, $45, $30, $50, $FF, $95, $30, $01, $00, $00, $05, $00, $10, $00, $00, $FF, $E0 ); data2:array[0..35] of byte = ( $E8, $00, $00, $00, $00, $5D, $83, $ED, $05, $8D, $45, $30, $50, $FF, $95, $34, $01, $00, $00, $50, $50, $FF, $95, $38, $01, $00, $00, $FF, $95, $38, $01, $00, $00, $C2, $04, $00 ); //Adjust process Privilege for injection procedure AdjustPrivilege(pid:integer; bEnable:boolean); var hProcess:THANDLE; hToken:THANDLE; tkp,PrevTokenPriv: TTokenPrivileges; ReturnLength: DWORD; begin tkp.PrivilegeCount := 1; tkp.Privileges[0].Attributes := 0; if (bEnable=true) then begin tkp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED; end; if (LookupPrivilegeValue(nil, 'SeDebugPrivilege', tkp.Privileges[0].Luid)=true) then begin hProcess := OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); if (hProcess>0) then begin if ( OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken)=true ) then begin if (AdjustTokenPrivileges(hToken, FALSE, tkp, SizeOf(TTOKENPRIVILEGES), PrevTokenPriv, ReturnLength)=true) then begin CloseHandle(hToken); end; end; CloseHandle(hProcess); end; end; end; //Find Explorer Process function FindExplorer():DWORD; var hC:THANDLE; Next:boolean; p32:PROCESSENTRY32; begin hC := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); Next := Process32First(hC, p32); while (Next) do begin if (StrIComp(p32.szExeFile, 'EXPLORER.EXE') = 0) then begin result := p32.th32ProcessID; exit; end; Next := Process32Next(hC, p32); end; CloseHandle(hC); result:= 0; end; //MakeData1 procedure MakeData1(Address:pointer); var szFileName:array[0..MAX_PATH] of char; begin GetCurrentDirectory(MAX_PATH, szFileName); StrCat(szFileName, '\ollydbg.exe'); StrCopy(pchar(Address)+$30, szFileName); PDWORD(pchar(Address)+$130)^ := DWORD(GetProcAddress(GetModuleHandle('kernel32'), 'LoadLibraryA')); PDWORD(pchar(Address)+$134)^ := DWORD(GetProcAddress(GetModuleHandle('kernel32'), 'GetModuleHandleA')); PDWORD(pchar(Address)+$138)^ := DWORD(GetProcAddress(GetModuleHandle('kernel32'), 'FreeLibrary')); CopyMemory(Address, @data1, sizeof(data1)); end; //MakeData2 procedure MakeData2(Address:pointer); begin CopyMemory(Address, @data2, sizeof(data2)); end; //OEP var PID:DWORD; hProcess:THANDLE; hThread:THANDLE; LocalAddress:PBYTE; RemoteAddress:PBYTE; temp:DWORD; begin AdjustPrivilege(GetCurrentProcessId(), TRUE); PID := FindExplorer(); if (PID = 0) then begin exit; end; hProcess := OpenProcess(PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE, FALSE, PID); if (hProcess = 0) then begin exit; end; LocalAddress := PBYTE(VirtualAlloc(nil, $1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE)); RemoteAddress := PBYTE(VirtualAllocEx(hProcess, nil, $1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE)); MakeData1(LocalAddress); WriteProcessMemory(hProcess, RemoteAddress, LocalAddress, $1000, temp); hThread := CreateRemoteThread(hProcess, nil, 0, RemoteAddress, nil, 0, temp); WaitForSingleObject(hThread, INFINITE); CloseHandle(hThread); MakeData2(LocalAddress); WriteProcessMemory(hProcess, RemoteAddress, LocalAddress, $1000, temp); hThread := CreateRemoteThread(hProcess, nil, 0, RemoteAddress, nil, 0, temp); WaitForSingleObject(hThread, INFINITE); VirtualFree(LocalAddress, 0, MEM_RELEASE); VirtualFreeEx(hProcess, RemoteAddress, 0, MEM_RELEASE); end. 不错，帮你把代码贴上来 2006-12-12 18:18 0
liuyilin 雪币： 303 活跃值： (466) 能力值： ( LV2，RANK：10 ) 在线值：发帖 51 回帖 1007 粉丝 1 关注私信	liuyilin 3 楼能否把kanxue修改的OLLICE注入 2006-12-12 21:20 0
binbinbin 雪币： 405 活跃值： (10) 能力值： ( LV9，RANK：1130 ) 在线值：发帖 51 回帖 690 粉丝 0 关注私信	binbinbin 28 4 楼 pascal语言原来也挺厉害的。好东西 2006-12-13 10:32 0
xzchina 雪币： 615 活跃值： (1212) 能力值： ( LV4，RANK：50 ) 在线值：发帖 42 回帖 843 粉丝 0 关注私信	xzchina 1 5 楼 ?\ /? 野猪的力量. ?/ \?.． 2006-12-13 11:32 0
wofan[OCN] 雪币： 2943 活跃值： (1788) 能力值： ( LV9，RANK：850 ) 在线值：发帖 55 回帖 808 粉丝 8 关注私信	wofan[OCN] 21 6 楼草原猎豹真有N年没有出来了！！ 2006-12-13 20:08 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

wynney

雪币： 224

活跃值： (147)

能力值：

( LV9，RANK：970 )

在线值：

发帖

65

回帖

1109

粉丝

7

关注

私信

wynney 24: 2 楼

program Project1;

uses
  sysutils,windows,tlhelp32;

{$R *.res}
var
  data1:array[0..25] of byte = (
      $E8, $00, $00, $00,
      $00, $5D, $83, $ED,
      $05, $8D, $45, $30,
      $50, $FF, $95, $30,
      $01, $00, $00, $05,
      $00, $10, $00, $00,
      $FF, $E0
  );
  data2:array[0..35] of byte = (
      $E8, $00, $00, $00,
      $00, $5D, $83, $ED,
      $05, $8D, $45, $30,
      $50, $FF, $95, $34,
      $01, $00, $00, $50,
      $50, $FF, $95, $38,
      $01, $00, $00, $FF,
      $95, $38, $01, $00,
      $00, $C2, $04, $00
  );
//Adjust process Privilege for injection
procedure AdjustPrivilege(pid:integer; bEnable:boolean);
var
  hProcess:THANDLE;
  hToken:THANDLE;
  tkp,PrevTokenPriv: TTokenPrivileges;
  ReturnLength: DWORD;

begin
  tkp.PrivilegeCount := 1;
  tkp.Privileges[0].Attributes := 0;
  if (bEnable=true) then
  begin
tkp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED;
  end;
  if (LookupPrivilegeValue(nil, 'SeDebugPrivilege', tkp.Privileges[0].Luid)=true) then
  begin

      hProcess := OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
      if (hProcess>0) then
      begin
               if (  OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY, hToken)=true  ) then
               begin
                  if (AdjustTokenPrivileges(hToken, FALSE, tkp, SizeOf(TTOKENPRIVILEGES), PrevTokenPriv, ReturnLength)=true) then
                        begin
                        CloseHandle(hToken);
                        end;
               end;
               CloseHandle(hProcess);
      end;
  end;
end;

//Find Explorer Process
function FindExplorer():DWORD;
var
hC:THANDLE;
Next:boolean;
p32:PROCESSENTRY32;
begin
      hC := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
      Next := Process32First(hC, p32);
      while (Next)  do
      begin
            if (StrIComp(p32.szExeFile, 'EXPLORER.EXE') = 0) then
            begin
               result := p32.th32ProcessID;
               exit;
            end;
            Next := Process32Next(hC, p32);
      end;
      CloseHandle(hC);
      result:= 0;
end;

//MakeData1
procedure MakeData1(Address:pointer);
var
szFileName:array[0..MAX_PATH] of char;
begin
GetCurrentDirectory(MAX_PATH, szFileName);
StrCat(szFileName, '\ollydbg.exe');

StrCopy(pchar(Address)+$30, szFileName);
PDWORD(pchar(Address)+$130)^ := DWORD(GetProcAddress(GetModuleHandle('kernel32'), 'LoadLibraryA'));
PDWORD(pchar(Address)+$134)^ := DWORD(GetProcAddress(GetModuleHandle('kernel32'), 'GetModuleHandleA'));
PDWORD(pchar(Address)+$138)^ := DWORD(GetProcAddress(GetModuleHandle('kernel32'), 'FreeLibrary'));
  CopyMemory(Address, @data1, sizeof(data1));

end;

//MakeData2
procedure MakeData2(Address:pointer);
begin
  CopyMemory(Address, @data2, sizeof(data2));
end;

//OEP
var
PID:DWORD;
hProcess:THANDLE;
hThread:THANDLE;
LocalAddress:PBYTE;
RemoteAddress:PBYTE;
temp:DWORD;
begin
AdjustPrivilege(GetCurrentProcessId(), TRUE);
PID := FindExplorer();
if (PID = 0) then
begin
exit;
end;

hProcess := OpenProcess(PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or PROCESS_VM_WRITE, FALSE, PID);
if (hProcess = 0) then
begin
exit;
end;

LocalAddress  := PBYTE(VirtualAlloc(nil, $1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE));
RemoteAddress := PBYTE(VirtualAllocEx(hProcess, nil, $1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE));

MakeData1(LocalAddress);

WriteProcessMemory(hProcess, RemoteAddress, LocalAddress, $1000, temp);
hThread := CreateRemoteThread(hProcess, nil, 0, RemoteAddress, nil, 0, temp);

WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);

MakeData2(LocalAddress);
WriteProcessMemory(hProcess, RemoteAddress, LocalAddress, $1000, temp);

hThread := CreateRemoteThread(hProcess, nil, 0, RemoteAddress, nil, 0, temp);
WaitForSingleObject(hThread, INFINITE);
VirtualFree(LocalAddress, 0, MEM_RELEASE);
VirtualFreeEx(hProcess, RemoteAddress, 0, MEM_RELEASE);
end.

不错，帮你把代码贴上来