-
Notifications
You must be signed in to change notification settings - Fork 5
/
DLLInjection_CreateRemoteThread_LoadLibrary.dpr
122 lines (96 loc) · 3.14 KB
/
DLLInjection_CreateRemoteThread_LoadLibrary.dpr
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
(*
Example of DLL Code to test DLL Injection:
------------------------------------------
BOF>>
library UnprotectTestDLL;
uses
WinApi.Windows,
System.SysUtils,
System.Classes;
{$R *.res}
procedure DllMain(AReason: Integer);
var AMessage : String;
AStrReason : String;
begin
case AReason of
DLL_PROCESS_DETACH : AStrReason := 'DLL_PROCESS_DETACH';
DLL_PROCESS_ATTACH : AStrReason := 'DLL_PROCESS_ATTACH';
DLL_THREAD_ATTACH : AStrReason := 'DLL_THREAD_ATTACH';
DLL_THREAD_DETACH : AStrReason := 'DLL_THREAD_DETACH';
else
AStrReason := 'REASON_UNKNOWN';
end;
AMessage := Format('(%s): Injected! Living in %d (%s) process.', [
AStrReason,
GetCurrentProcessId(),
ExtractFileName(GetModuleName(0))
]);
///
OutputDebugStringW(PWideChar(AMessage));
end;
begin
DllProc := DllMain;
DllMain(DLL_PROCESS_ATTACH)
<<EOF
*)
// Support both x86-32 and x86-64
program DLLInjection_CreateRemoteThread_LoadLibrary;
{$APPTYPE CONSOLE}
{$R *.res}
uses
WinApi.Windows,
System.SysUtils;
type
EWindowsException = class(Exception)
private
FLastError : Integer;
public
{@C}
constructor Create(const WinAPI : String); overload;
{@G}
property LastError : Integer read FLastError;
end;
constructor EWindowsException.Create(const WinAPI : String);
var AFormatedMessage : String;
begin
FLastError := GetLastError();
AFormatedMessage := Format('___%s: last_err=%d, last_err_msg="%s".', [
WinAPI,
FLastError,
SysErrorMessage(FLastError)
]);
///
inherited Create(AFormatedMessage);
end;
procedure InjectDLL(const ADLLFile : String; const ATargetProcessId : Cardinal);
var hProcess : THandle;
pOffset : Pointer;
AThreadId : Cardinal;
ABytesWritten : SIZE_T;
begin
if not FileExists(ADLLFile) then
raise Exception.Create('DLL file not found!');
///
hProcess := OpenProcess(PROCESS_VM_OPERATION or PROCESS_VM_READ or PROCESS_VM_WRITE, False, ATargetProcessId);
if hProcess = 0 then
raise EWindowsException.Create('OpenProcess');
try
pOffset := VirtualAllocEx(hProcess, nil, Length(ADLLFile), MEM_COMMIT, PAGE_READWRITE);
if not Assigned(pOffset) then
raise EWindowsException.Create('VirtualAllocEx');
if not WriteProcessMemory(hProcess, pOffset, PWideChar(ADLLFile), Length(ADLLFile) * SizeOf(WideChar), ABytesWritten) then
raise EWindowsException.Create('WriteProcessMemory');
if CreateRemoteThread(hProcess, nil, 0, GetProcAddress(GetModuleHandle('Kernel32.dll'), 'LoadLibraryW'), pOffset, 0, AThreadId) = 0 then
raise EWindowsException.Create('CreateRemoteThread');
finally
CloseHandle(hProcess);
end;
end;
begin
try
InjectDLL('c:\temp\UnprotectTestDLL.dll' {Desired DLL To Inject}, 12196 {Desired Process Id});
except
on E: Exception do
Writeln(E.ClassName, ': ', E.Message);
end;
end.