www.pudn.com > 2khotkey.rar > func.pas
unit func;
interface
uses
Windows, TlHelp32, SysUtils;
const
STR_INJECT_EXE = 'WinLogon.exe';
//进程线程------------------
THREAD_TERMINATE = $0001;
THREAD_SUSPEND_RESUME = $0002;
THREAD_GET_CONTEXT = $0008;
THREAD_SET_CONTEXT = $0010;
THREAD_SET_INFORMATION = $0020;
THREAD_QUERY_INFORMATION = $0040;
THREAD_SET_THREAD_TOKEN = $0080;
THREAD_IMPERSONATE = $0100;
THREAD_DIRECT_IMPERSONATION = $0200;
THREAD_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED or SYNCHRONIZE or $3FF;
//权限Token
SE_CREATE_TOKEN_NAME : PChar = 'SeCreateTokenPrivilege';
SE_ASSIGNPRIMARYTOKEN_NAME : PChar = 'SeAssignPrimaryTokenPrivilege';
SE_LOCK_MEMORY_NAME : PChar = 'SeLockMemoryPrivilege';
SE_INCREASE_QUOTA_NAME : PChar = 'SeIncreaseQuotaPrivilege';
SE_UNSOLICITED_INPUT_NAME : PChar = 'SeUnsolicitedInputPrivilege';
SE_MACHINE_ACCOUNT_NAME : PChar = 'SeMachineAccountPrivilege';
SE_TCB_NAME : PChar = 'SeTcbPrivilege';
SE_SECURITY_NAME : PChar = 'SeSecurityPrivilege';
SE_TAKE_OWNERSHIP_NAME : PChar = 'SeTakeOwnershipPrivilege';
SE_LOAD_DRIVER_NAME : PChar = 'SeLoadDriverPrivilege';
SE_SYSTEM_PROFILE_NAME : PChar = 'SeSystemProfilePrivilege';
SE_SYSTEMTIME_NAME : PChar = 'SeSystemtimePrivilege';
SE_PROF_SINGLE_PROCESS_NAME : PChar = 'SeProfileSingleProcessPrivilege';
SE_INC_BASE_PRIORITY_NAME : PChar = 'SeIncreaseBasePriorityPrivilege';
SE_CREATE_PAGEFILE_NAME : PChar = 'SeCreatePagefilePrivilege';
SE_CREATE_PERMANENT_NAME : PChar = 'SeCreatePermanentPrivilege';
SE_BACKUP_NAME : PChar = 'SeBackupPrivilege';
SE_RESTORE_NAME : PChar = 'SeRestorePrivilege';
SE_SHUTDOWN_NAME : PChar = 'SeShutdownPrivilege';
SE_DEBUG_NAME : PChar = 'SeDebugPrivilege';
SE_AUDIT_NAME : PChar = 'SeAuditPrivilege';
SE_SYSTEM_ENVIRONMENT_NAME : PChar = 'SeSystemEnvironmentPrivilege';
SE_CHANGE_NOTIFY_NAME : PChar = 'SeChangeNotifyPrivilege';
SE_REMOTE_SHUTDOWN_NAME : PChar = 'SeRemoteShutdownPrivilege';
type
PPDB = ^T_PDB;
T_PDB = record
mType : WORD;
Refcount : WORD;
Unk0 : DWORD;
Unk1 : DWORD;
Unk2 : DWORD;
TermStatus : DWORD;
Unk3 : DWORD;
DefaultHeap : DWORD;
MemContext : DWORD;
Flags : DWORD;
pPsp : DWORD;
psSelector : WORD;
METIndex : WORD;
nThreads : WORD;
nThreadsNotTerm : WORD;
Unk5 : WORD;
nR0Threads : WORD;
HeapHandle : DWORD;
K16TDBSel : WORD;
Unk6 : WORD;
Unk7 : DWORD;
pEDB : DWORD;
pHandleTable : DWORD;
ParentPDB : PPDB;
ModRefList : DWORD;
ThreadList : DWORD;
DebugeeCB : DWORD;
LHFreeHead : DWORD;
InitialR0ID : DWORD;
END;
PDB = T_PDB;
T_TCB = record
mType : WORD;
RefCount : WORD;
Unk1 : DWORD;
pvExcept : DWORD;
TopOfStack : DWORD;
BaseOfStace : DWORD;
K16TDB : WORD;
StackSel16 : WORD;
Unk2 : DWORD;
UserPointer : DWORD;
pTIB : DWORD;
TIBFlags : WORD;
Win16MutxCnt : WORD;
DebugContext : DWORD;
PtrToCurPri : DWORD;
MsgQueue : DWORD;
pTLSarray : DWORD;
pParentPDB : PPDB;
SelmanList : DWORD;
Unk3 : DWORD;
Flags : DWORD;
status : DWORD;
TibSel : WORD;
EmulatorSel : WORD;
HandleCount : DWORD;
WaitNodeList : DWORD;
R0hThread : DWORD;
ptdbx : DWORD;
END;
TCB = T_TCB;
PTCB = ^T_TCB;
OBFUNC = FUNCTION(dwPTID : DWORD):pointer;stdcall;
OTFUNC = FUNCTION(pH : PHandle; dwVal : DWORD; VAR VAR1; VAR VAR2):DWORD;stdcall;
TLoadLibraryA = FUNCTION (lpLibFileName: PAnsiChar): HMODULE; stdcall;
TLoadInjectInfo = Record
fnLoadLibraryA : TLoadLibraryA;
szDllName : array[0..255] of AnsiChar;
hDLL : HModule;
InjectCode : array [0..99] of byte;
end;
PLoadInjectInfo = ^TLoadInjectInfo;
TMessageBeep = FUNCTION (uType: UINT): BOOL; stdcall;
TFreeLibrary = FUNCTION (hLibModule: HMODULE): BOOL; stdcall;
TFreeInjectInfo = Record
fnFreeLibrary : TFreeLibrary;
hLibModule : HMODULE;
fnMessageBeep : TMessageBeep;
uBeep : UINT;
InjectCode : array[0..99] of byte;
end;
PFreeInjectInfo = ^TFreeInjectInfo;
VAR
hdlThread : THandle =0;
hdlInjectProcess : THandle =0;
hdlInjectThread : THandle =0;
hdlMod : HModule =0;
//------------------------------------------------------------------------------
//处理进程
FUNCTION OpenThread2(dwThreadID : DWORD; bInherit : BOOL):THandle;stdcall;
FUNCTION GetProcessID(strProcessName : string):DWORD;
FUNCTION GetThreadID(dwOwnerProcessID : DWORD):DWORD;
FUNCTION GetTrueProcAddress(lpMod : PChar; lpFunc : PChar):pointer;stdcall;
FUNCTION OpenThreadNT(dwThreadID : DWORD; bInherit : BOOL):THandle;stdcall;
//处理权限
FUNCTION SetPrivilege(hToken : THandle; strPrivilege : PChar; bEnable:BOOL):BOOL;stdcall;Export;
FUNCTION SetCurProcessDbgPrivilege:BOOL;
FUNCTION UnSetCurProcessDbgPrivilege:BOOL;
//处理函数
FUNCTION LoadDllToProcess(hProcess:Thandle; strDllName:PChar; var dllHandle:HModule):BOOL;
FUNCTION UnLoadDllFromProcess(hProcess:THandle; hLibModule: HModule; var bOK:BOOL):BOOL;
//锁定函数
FUNCTION FuGinaLock(vDll:String):Boolean;stdcall;
FUNCTION FuGinaUnLock():Boolean;stdcall;
implementation
//-------------------------------------------------------------------------------------
FUNCTION FuGinaLock(vDll:String):Boolean;stdcall;
VAR
dwProcessID : DWORD;
hProcess : THandle;
DllName : String;
BEGIN
DllName:='KeyBoardRS.dll';
vDll:=vDll+DllName;
Result:=false;
dwProcessID:=0; hProcess:=0;
IF NOT SetCurProcessDbgPrivilege() THEN Exit;
IF hdlMod<>0 THEN Exit;
//获得进程 ID
dwProcessID := GetProcessID(STR_INJECT_EXE);
IF dwProcessID=0 THEN Exit;
//打开进程!
hProcess := OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID);
IF hProcess=0 THEN Exit;
//加载 DLL
IF NOT LoadDllToProcess(hProcess,PCHAR(vDll+#0),hdlMod) THEN Exit;
CloseHandle(hProcess);
Result:=true;
END;
FUNCTION FuGinaUnLock():Boolean;stdcall;
VAR
dwProcessID : DWORD ;
hProcess : THandle ;
bOK : BOOL;
BEGIN
Result:=false;
dwProcessID:=0; hProcess:=0;
//检查模块是否加载
IF hdlMod=0 THEN Exit;
//获得进程 ID
dwProcessID := GetProcessID(STR_INJECT_EXE);
IF dwProcessID=0 THEN Exit;
//打开进程
hProcess := OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID);
IF hProcess=0 THEN Exit;
//卸载模块 DLL
IF NOT UnLoadDllFromProcess(hProcess, hdlMod, bOK) THEN Exit;
CloseHandle(hProcess);
hdlMod := 0; Result:=True;
END;
//-------------------------------------------------------------------------------------
//-------------------------------------------------------------------------------------
FUNCTION RemoteLoadFunc(p : PLoadInjectInfo):DWORD;stdcall;
begin
Result := DWORD(p.fnLoadLibraryA(p.szDllName));
end;
FUNCTION RemoteFreeFunc(p : PFreeInjectInfo):DWORD;stdcall;
begin
// p.fnMessageBeep(p.uBeep);
Result := DWORD(p.fnFreeLibrary(p.hLibModule));
end;
FUNCTION LoadDllToProcess(hProcess:THandle;
strDllName:PChar;
var dllHandle:HModule):BOOL;
var
pCode : ^Byte;
i : Integer;
InjectInfo : TLoadInjectInfo;
pRemoteCode : PLoadInjectInfo;
dwCount : DWORD;
dwThreadID : DWORD;
hThread : THandle;
dwExitCode : DWORD;
begin
result := TRUE;
dllHandle := 0;
try
pCode := Addr(RemoteLoadFunc);
for i:=0 to SizeOf(InjectInfo.InjectCode) - 1 do begin
InjectInfo.InjectCode[i] := pCode^;
Inc(pCode);
end;
InjectInfo.fnLoadLibraryA := GetProcAddress(GetModuleHandle('Kernel32.dll'),
'LoadLibraryA');
for i:=0 to strlen(strDllName) do begin
InjectInfo.szDllName[i] := strDllName[i];
end;
InjectInfo.szDllName[strlen(strDllName)] := Char(0);
pRemoteCode := nil;
pRemoteCode := VirtualAllocEx( hProcess,
nil,
SizeOf(TLoadInjectInfo),
MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
if (pRemoteCode = nil) then
RaiseLastWin32Error;
if not WriteProcessMemory(hProcess,
pRemoteCode,
@InjectInfo,
SizeOf(TLoadInjectInfo),
dwCount) then
RaiseLastWin32Error;
hThread := 0;
hThread := CreateRemoteThread( hProcess,
nil,
0,
Addr(pRemoteCode^.InjectCode[0]),
pRemoteCode,
0,
dwThreadId);
if hThread=0 then
RaiseLastWin32Error;
WaitForSingleObject(hThread, INFINITE);
GetExitCodeThread(hThread, dwExitCode);
dllHandle := dwExitCode;
CloseHandle(hThread);
finally
if Assigned(pRemoteCode) then
VirtualFreeEx( hProcess,
pRemoteCode,
SizeOf(TLoadInjectInfo),
MEM_RELEASE);
end;
end;
FUNCTION UnLoadDllFromProcess(hProcess:THandle;
hLibModule: HModule;
var bOK:BOOL):BOOL;
var
pCode : ^Byte;
i : Integer;
InjectInfo : TFreeInjectInfo;
pRemoteCode : PFreeInjectInfo;
dwCount : DWORD;
dwThreadID : DWORD;
hThread : THandle;
dwExitCode : DWORD;
strTemp:STRING;
begin
result := TRUE;
bOK := TRUE;
try
pCode := Addr(RemoteFreeFunc);
for i:=0 to SizeOf(InjectInfo.InjectCode) - 1 do begin
InjectInfo.InjectCode[i] := pCode^;
Inc(pCode);
end;
InjectInfo.fnFreeLibrary := GetProcAddress(GetModuleHandle('Kernel32.dll'),
'FreeLibrary');
InjectInfo.hLibModule := hLibModule;
InjectInfo.fnMessageBeep := GetProcAddress(GetModuleHandle('User32.dll'),
'MessageBeep');
InjectInfo.uBeep := 0;
pRemoteCode := nil;
pRemoteCode := VirtualAllocEx( hProcess,
nil,
SizeOf(TFreeInjectInfo),
MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
if (pRemoteCode = nil) then RaiseLastWin32Error;
if not WriteProcessMemory(hProcess,
pRemoteCode,
@InjectInfo,
SizeOf(TFreeInjectInfo),
dwCount) then
RaiseLastWin32Error;
hThread := 0;
hThread := CreateRemoteThread( hProcess,
nil,
0,
Addr(pRemoteCode^.InjectCode[0]),
pRemoteCode,
0,
dwThreadId);
strTemp:='';
if hThread=0 then RaiseLastWin32Error;
WaitForSingleObject(hThread, INFINITE);
GetExitCodeThread(hThread, dwExitCode);
bOK := BOOL(dwExitCode);
CloseHandle(hThread);
finally
if Assigned(pRemoteCode) then
VirtualFreeEx( hProcess,
pRemoteCode,
SizeOf(TLoadInjectInfo),
MEM_RELEASE);
end;
end;
//-------------------------------------------------------------------------------------
//-------------------------------------------------------------------------------------
FUNCTION SetPrivilege(hToken : THandle; strPrivilege : PChar; bEnable:BOOL):BOOL;
var
tp : TOKEN_PRIVILEGES;
luid : TLargeInteger;
tpPrevious : TOKEN_PRIVILEGES;
cbPrevious : DWORD;
cbRtn : DWORD;
begin
cbPrevious := sizeof(TOKEN_PRIVILEGES);
if not LookupPrivilegeValue(nil, strPrivilege, luid) then begin
result := FALSE;
exit;
end;
tp.PrivilegeCount := 1;
tp.Privileges[0].Luid := luid;
tp.Privileges[0].Attributes := 0;
AdjustTokenPrivileges(hToken, FALSE, tp,
sizeof(TOKEN_PRIVILEGES),
tpPrevious,
cbPrevious);
if (GetLastError() <> ERROR_SUCCESS) then begin
result := FALSE;
exit;
end;
tpPrevious.PrivilegeCount := 1;
tpPrevious.Privileges[0].Luid := luid;
if (bEnable) then begin
tpPrevious.Privileges[0].Attributes :=
tpPrevious.Privileges[0].Attributes or SE_PRIVILEGE_ENABLED;
end
else begin
tpPrevious.Privileges[0].Attributes :=
tpPrevious.Privileges[0].Attributes and (not SE_PRIVILEGE_ENABLED)
end;
AdjustTokenPrivileges(
hToken,
FALSE,
tpPrevious,
cbPrevious,
nil,
cbRtn);
if (GetLastError() <> ERROR_SUCCESS) then
result := FALSE;
result := TRUE;
end;
//-------------------------------------------------------------------------------------
//-------------------------------------------------------------------------------------
FUNCTION SetCurProcessDbgPrivilege:BOOL;
var
hToken : THandle;
begin
result := TRUE;
if (not OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,
hToken ))
then begin
result := FALSE;
exit;
end;
if (not SetPrivilege(hToken, SE_DEBUG_NAME, TRUE)) then begin
result := FALSE;
CloseHandle(hToken);
exit;
end;
CloseHandle(hToken);
end;
//-------------------------------------------------------------------------------------
//-------------------------------------------------------------------------------------
FUNCTION UnSetCurProcessDbgPrivilege:BOOL;
var
hToken : THandle;
begin
result := TRUE;
if (not OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES or TOKEN_QUERY,
hToken ))
then begin
// ShowMessage('Can not get the Process Token!');
result := FALSE;
exit;
end;
if (not SetPrivilege(hToken, SE_DEBUG_NAME, FALSE)) then begin
result := FALSE;
CloseHandle(hToken);
exit;
end;
CloseHandle(hToken);
end;
//---------------------------------------------------------------------------------------
//---------------------------------------------------------------------------------------
FUNCTION XORProcessThreadID(dwPTID : DWORD):pointer;stdcall;
VAR
obfuscate : OBFUNC;
dwMain : DWORD;
lpdw : PDWORD;
dw1 : DWORD;
BEGIN
dwMain := DWORD(GetTrueProcAddress('Kernel32.dll', 'GetCurrentThreadId'));
// IF dwMain = nil then BEGIN result := nil; exit; END;
lpdw := PDWORD(dwMain+8);
dw1 := dwMain + 12;
obfuscate := OBFUNC(dw1 + lpdw^);
result := obfuscate(dwPTID);
END;
//---------------------------------------------------------------------------------------
//---------------------------------------------------------------------------------------
FUNCTION OpenThread2(dwThreadID : DWORD; bInherit : BOOL):THandle;stdcall;
VAR
hThread, hPrc : THandle;
lp1 : PDWORD;
dwProcessID , dwWhere, dwTable : DWORD;
b1 : BOOL;
lpThreadObj : PTCB;
procpPdb : PPDB;
osvi : OSVERSIONINFO;
BEGIN
osvi.dwOSVersionInfoSize := sizeof(osvi);
GetVersionEX(osvi);
SetLastError(50);
IF osvi.dwPlatformId = VER_PLATFORM_WIN32_NT then
result := OpenThreadNT(dwThreadID, bInherit)
else BEGIN
procpPdb := PPDB(XORProcessThreadID(GetCurrentProcessID()));
lpThreadObj := PTCB (XORProcessThreadID(dwThreadID));
IF IsBadReadPtr(lpThreadObj, sizeof(TCB)) then BEGIN
result := 0;
exit;
END;
IF PBYTE(lpThreadObj)^ <> 7 then BEGIN
result := 0;
exit;
END;
dwProcessID := DWORD(XORProcessThreadID(DWORD(lpThreadObj^.pParentPDB)));
IF (dwProcessID = GetCurrentProcessID()) then
hPrc := GetCurrentProcess()
else BEGIN
hPrc := OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID);
IF (hPrc = 0) then BEGIN
result := 0;
exit;
END;
END;
// 4 is the lowest handle in the table
// all proceses have this handle
b1 := DuplicateHandle(hPrc,
THandle(4),
GetCurrentProcess(),
@hThread,
THREAD_ALL_ACCESS,
bInherit, 0);
IF (hPrc <> GetCurrentProcess()) then CloseHandle(hPrc);
IF (b1=FALSE) then BEGIN
result := 0;
exit;
END;
dwWhere := DWORD(hThread) shr 2;
dwTable := procpPdb^.pHandleTable;
lp1 := PDWORD (dwTable + dwWhere*8 + 8);
lp1^ := DWORD(lpThreadObj);
result := hThread;
END;
END;
//---------------------------------------------------------------------------------------
//---------------------------------------------------------------------------------------
{$J+}
FUNCTION OpenThreadNT(dwThreadID : DWORD; bInherit : BOOL):THandle;stdcall;
const
hThread : THandle = 0;
struct1 : array [0..5] of DWORD = ($18, 0, 0, 0, 0, 0);
struct2 : array [0..1] of DWORD = (0, 0);
hLib : HModule = 0;
OpenThatNTThread : OTFUNC = nil;
BEGIN
hLib := LoadLibrary('ntdll.dll');
OpenThatNTThread := OTFUNC(GetProcAddress(hLib, 'NtOpenThread'));
struct2[1] := dwThreadID;
struct1[3] := DWORD(bInherit);
OpenThatNtThread(@hThread, THREAD_ALL_ACCESS, struct1, struct2);
FreeLibrary(hLib);
result := hThread;
END;
{$J-}
//---------------------------------------------------------------------------------------
//---------------------------------------------------------------------------------------
FUNCTION GetTrueProcAddress(lpMod : PChar; lpFunc : PChar):pointer;stdcall;
VAR
bla : pointer;
hMod : HModule;
BEGIN
hMod := GetModuleHandle(lpMod);
IF hMod=0 then BEGIN
result := nil;
exit;
END;
bla := Pointer(GetProcAddress(hMod, lpFunc));
IF (DWORD(bla) = 0) then BEGIN
result := nil;
exit;
END;
IF PByte(bla)^ = $68 then
bla := Pointer(PDWORD(DWORD(bla) + 1)^);
result := bla;
END;
//---------------------------------------------------------------------------------------
//---------------------------------------------------------------------------------------
FUNCTION GetProcessID(strProcessName : string):DWORD;
VAR
dwRet : DWORD;
hSnapShot : THandle;
ProcessEntry : PROCESSENTRY32;
bFlag : BOOL;
BEGIN
dwRet := 0;
hSnapshot := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
IF(hSnapshot <> INVALID_HANDLE_VALUE) then
BEGIN
FillChar(ProcessEntry,sizeof(PROCESSENTRY32),0);
ProcessEntry.dwSize := sizeof(PROCESSENTRY32);
bFlag := Process32First(hSnapshot,ProcessEntry);
while (bFlag) do
BEGIN
IF Pos(UpperCase(strProcessName), UpperCase(ProcessEntry.szExeFile)) <> 0 then
BEGIN
dwRet := ProcessEntry.th32ProcessID;
break;
END;
ProcessEntry.dwSize := sizeof(PROCESSENTRY32);
bFlag := Process32Next(hSnapshot,ProcessEntry);
END;
CloseHandle(hSnapshot);
END;
result := dwRet;
END;
//---------------------------------------------------------------------------------------
//---------------------------------------------------------------------------------------
FUNCTION GetThreadID(dwOwnerProcessID : DWORD):DWORD;
VAR
dwRet : DWORD;
hThreadSnap : THandle;
te32 : THREADENTRY32;
BEGIN
dwRet := 0;
FillChar(te32, SizeOf(te32), 0);
hThreadSnap := CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
IF (hThreadSnap <> INVALID_HANDLE_VALUE) then BEGIN
te32.dwSize := sizeof(THREADENTRY32);
IF (Thread32First(hThreadSnap, te32)) then
repeat
IF (te32.th32OwnerProcessID = dwOwnerProcessID) then BEGIN
dwRet := te32.th32ThreadID;
break;
END;
until not (Thread32Next(hThreadSnap, te32));
CloseHandle (hThreadSnap);
END;
result := dwRet;
END;
//---------------------------------------------------------
end.