[轉貼] 從內存中加載 啟動一個EXE 源碼

1. //PEUnit.pas
   
2. { ******************************************************* }
   
3. { * 從內存中加載並運行exe * }
   
4. { ******************************************************* }
   
5. { * 參數： }
   
6. { * Buffer: 內存中的exe地址 }
   
7. { * Len: 內存中exe佔用長度 }
   
8. { * CmdParam: 命令行參數(不包含exe文件名的剩餘命令行參數）}
   
9. { * ProcessId: 返回的進程Id }
   
10. { * 返回值： 如果成功則返回進程的Handle(ProcessHandle), }
    
11. { 如果失敗則返回INVALID_HANDLE_VALUE }
    
12. { ******************************************************* }
    
13. 
    
14. unit PEUnit;
    
15. 
    
16. interface
    
17. 
    
18. uses windows;
    
19. 
    
20. function MemExecute(const ABuffer; Len: Integer; CmdParam: string; var ProcessId: Cardinal): Cardinal;
    
21. 
    
22. implementation
    
23. 
    
24. //{$R ExeShell.res} // 外殼程序模板(98下使用)
    
25. 
    
26. type
    
27. TImageSectionHeaders = array [0..0] of TImageSectionHeader;
    
28. PImageSectionHeaders = ^TImageSectionHeaders;
    
29. 
    
30. { 計算對齊後的大小 }
    
31. function GetAlignedSize(Origin, Alignment: Cardinal): Cardinal;
    
32. begin
    
33. result := (Origin + Alignment - 1) div Alignment * Alignment;
    
34. end;
    
35. 
    
36. { 計算加載pe並對齊需要佔用多少內存，未直接使用OptionalHeader.SizeOfImage作為結果是因為據說有的編譯器生成的exe這個值會填0 }
    
37. function CalcTotalImageSize(MzH: PImageDosHeader; FileLen: Cardinal; peH: PImageNtHeaders;
    
38. peSecH: PImageSectionHeaders): Cardinal;
    
39. var
    
40. i: Integer;
    
41. begin
    
42. {計算pe頭的大小}
    
43. result := GetAlignedSize(PeH.OptionalHeader.SizeOfHeaders, PeH.OptionalHeader.SectionAlignment);
    
44. 
    
45. {計算所有節的大小}
    
46. for i := 0 to peH.FileHeader.NumberOfSections - 1 do
    
47. if peSecH[i].PointerToRawData + peSecH[i].SizeOfRawData > FileLen then // 超出文件範圍
    
48. begin
    
49. result := 0;
    
50. exit;
    
51. end
    
52. else if peSecH[i].VirtualAddress <> 0 then //計算對齊後某節的大小
    
53. if peSecH[i].Misc.VirtualSize <> 0 then
    
54. result := GetAlignedSize(peSecH[i].VirtualAddress + peSecH[i].Misc.VirtualSize, PeH.OptionalHeader.SectionAlignment)
    
55. else
    
56. result := GetAlignedSize(peSecH[i].VirtualAddress + peSecH[i].SizeOfRawData, PeH.OptionalHeader.SectionAlignment)
    
57. else if peSecH[i].Misc.VirtualSize < peSecH[i].SizeOfRawData then
    
58. result := result + GetAlignedSize(peSecH[i].SizeOfRawData, peH.OptionalHeader.SectionAlignment)
    
59. else
    
60. result := result + GetAlignedSize(peSecH[i].Misc.VirtualSize, PeH.OptionalHeader.SectionAlignment);
    
61. 
    
62. end;
    
63. 
    
64. 
    
65. { 加載pe到內存並對齊所有節 }
    
66. function AlignPEToMem(const Buf; Len: Integer; var PeH: PImageNtHeaders;
    
67. var PeSecH: PImageSectionHeaders; var Mem: Pointer; var ImageSize: Cardinal): Boolean;
    
68. var
    
69. SrcMz: PImageDosHeader; // DOS頭
    
70. SrcPeH: PImageNtHeaders; // PE頭
    
71. SrcPeSecH: PImageSectionHeaders; // 節表
    
72. i: Integer;
    
73. l: Cardinal;
    
74. Pt: Pointer;
    
75. begin
    
76. result := false;
    
77. SrcMz := @Buf;
    
78. if Len < sizeof(TImageDosHeader) then exit;
    
79. if SrcMz.e_magic <> IMAGE_DOS_SIGNATURE then exit;
    
80. if Len < SrcMz._lfanew+Sizeof(TImageNtHeaders) then exit;
    
81. SrcPeH := pointer(Integer(SrcMz)+SrcMz._lfanew);
    
82. if (SrcPeH.Signature <> IMAGE_NT_SIGNATURE) then exit;
    
83. if (SrcPeH.FileHeader.Characteristics and IMAGE_FILE_DLL <> 0) or
    
84. (SrcPeH.FileHeader.Characteristics and IMAGE_FILE_EXECUTABLE_IMAGE = 0)
    
85. or (SrcPeH.FileHeader.SizeOfOptionalHeader <> SizeOf(TImageOptionalHeader)) then exit;
    
86. SrcPeSecH := Pointer(Integer(SrcPeH)+SizeOf(TImageNtHeaders));
    
87. ImageSize := CalcTotalImageSize(SrcMz, Len, SrcPeH, SrcPeSecH);
    
88. if ImageSize = 0 then
    
89. exit;
    
90. Mem := VirtualAlloc(nil, ImageSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); // 分配內存
    
91. if Mem <> nil then
    
92. begin
    
93. // 計算需要復制的PE頭字節數
    
94. l := SrcPeH.OptionalHeader.SizeOfHeaders;
    
95. for i := 0 to SrcPeH.FileHeader.NumberOfSections - 1 do
    
96. if (SrcPeSecH[i].PointerToRawData <> 0) and (SrcPeSecH[i].PointerToRawData < l) then
    
97. l := SrcPeSecH[i].PointerToRawData;
    
98. Move(SrcMz^, Mem^, l);
    
99. PeH := Pointer(Integer(Mem) + PImageDosHeader(Mem)._lfanew);
    
100. PeSecH := Pointer(Integer(PeH) + sizeof(TImageNtHeaders));
     
101. 
     
102. Pt := Pointer(Cardinal(Mem) + GetAlignedSize(PeH.OptionalHeader.SizeOfHeaders, PeH.OptionalHeader.SectionAlignment));
     
103. for i := 0 to PeH.FileHeader.NumberOfSections - 1 do
     
104. begin
     
105. // 定位該節在內存中的位置
     
106. if PeSecH[i].VirtualAddress <> 0 then
     
107. Pt := Pointer(Cardinal(Mem) + PeSecH[i].VirtualAddress);
     
108. 
     
109. if PeSecH[i].SizeOfRawData <> 0 then
     
110. begin
     
111. // 復制數據到內存
     
112. Move(Pointer(Cardinal(SrcMz) + PeSecH[i].PointerToRawData)^, pt^, PeSecH[i].SizeOfRawData);
     
113. if peSecH[i].Misc.VirtualSize < peSecH[i].SizeOfRawData then
     
114. pt := pointer(Cardinal(pt) + GetAlignedSize(PeSecH[i].SizeOfRawData, PeH.OptionalHeader.SectionAlignment))
     
115. else
     
116. pt := pointer(Cardinal(pt) + GetAlignedSize(peSecH[i].Misc.VirtualSize, peH.OptionalHeader.SectionAlignment));
     
117. // pt 定位到下一節開始位置
     
118. end
     
119. else
     
120. pt := pointer(Cardinal(pt) + GetAlignedSize(PeSecH[i].Misc.VirtualSize, PeH.OptionalHeader.SectionAlignment));
     
121. end;
     
122. result := True;
     
123. end;
     
124. end;
     
125. 
     
126. type
     
127. TVirtualAllocEx = function (hProcess: THandle; lpAddress: Pointer;
     
128. dwSize, flAllocationType: DWORD; flProtect: DWORD): Pointer; stdcall;
     
129. 
     
130. var
     
131. MyVirtualAllocEx: TVirtualAllocEx = nil;
     
132. 
     
133. function IsNT: Boolean;
     
134. begin
     
135. result := Assigned(MyVirtualAllocEx);
     
136. end;
     
137. 
     
138. { 生成外殼程序命令行 }
     
139. function PrepareShellExe(CmdParam: string; BaseAddr, ImageSize: Cardinal): string;
     
140. var
     
141. r, h, sz: Cardinal;
     
142. p: Pointer;
     
143. fid, l: Integer;
     
144. buf: Pointer;
     
145. peH: PImageNtHeaders;
     
146. peSecH: PImageSectionHeaders;
     
147. begin
     
148. if IsNT then
     
149. { NT 系統下直接使用自身程序作為外殼進程 }
     
150. result := ParamStr(0)+CmdParam
     
151. else begin
     
152. // 由于98系統下無法重新分配外殼進程佔用內存,所以必須保證運行的外殼程序能容納目標進程並且加載地址一致
     
153. // 此處使用的方法是從資源中釋放出一個事先建立好的外殼程序,然後通過修改其PE頭使其運行時能加載到指定地址並至少能容納目標進程
     
154. r := FindResource(HInstance, 'SHELL_EXE', RT_RCDATA);
     
155. h := LoadResource(HInstance, r);
     
156. p := LockResource(h);
     
157. l := SizeOfResource(HInstance, r);
     
158. GetMem(Buf, l);
     
159. Move(p^, Buf^, l); // 讀到內存
     
160. FreeResource(h);
     
161. peH := Pointer(Integer(Buf) + PImageDosHeader(Buf)._lfanew);
     
162. peSecH := Pointer(Integer(peH) + sizeof(TImageNtHeaders));
     
163. peH.OptionalHeader.ImageBase := BaseAddr; // 修改PE頭重的加載基址
     
164. if peH.OptionalHeader.SizeOfImage < ImageSize then // 目標比外殼大,修改外殼程序運行時佔用的內存
     
165. begin
     
166. sz := Imagesize - peH.OptionalHeader.SizeOfImage;
     
167. Inc(peH.OptionalHeader.SizeOfImage, sz); // 調整總佔用內存數
     
168. Inc(peSecH[peH.FileHeader.NumberOfSections-1].Misc.VirtualSize, sz); // 調整最後一節佔用內存數
     
169. end;
     
170. 
     
171. // 生成外殼程序文件名, 為本程序改後綴名得到的
     
172. // 由于不想 uses SysUtils (一旦 use 了程序將增大80K左右), 而且偷懶，所以只支持最多運行11個進程，後綴名為.dat, .da0~.da9
     
173. result := ParamStr(0);
     
174. result := copy(result, 1, length(result) - 4) + '.dat';
     
175. r := 0;
     
176. while r < 10 do
     
177. begin
     
178. fid := CreateFile(pchar(result), GENERIC_READ or GENERIC_WRITE, 0, nil, Create_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
     
179. if fid < 0 then
     
180. begin
     
181. result := copy(result, 1, length(result)-3)+'da'+Char(r+Byte('0'));
     
182. inc(r);
     
183. end
     
184. else begin
     
185. //SetFilePointer(fid, Imagesize, nil, 0);
     
186. //SetEndOfFile(fid);
     
187. //SetFilePointer(fid, 0, nil, 0);
     
188. WriteFile(fid, Buf^, l, h, nil); // 寫入文件
     
189. CloseHandle(fid);
     
190. break;
     
191. end;
     
192. end;
     
193. result := result + CmdParam; // 生成命令行
     
194. FreeMem(Buf);
     
195. end;
     
196. end;
     
197. { 是否包含可重定向列表 }
     
198. function HasRelocationTable(peH: PImageNtHeaders): Boolean;
     
199. begin
     
200. result := (peH.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress <> 0)
     
201. and (peH.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size <> 0);
     
202. end;
     
203. 
     
204. type
     
205. PImageBaseRelocation= ^TImageBaseRelocation;
     
206. TImageBaseRelocation = packed record
     
207. VirtualAddress: cardinal;
     
208. SizeOfBlock: cardinal;
     
209. end;
     
210. 
     
211. { 重定向PE用到的地址 }
     
212. procedure DoRelocation(peH: PImageNtHeaders; OldBase, NewBase: Pointer);
     
213. var
     
214. Delta: Cardinal;
     
215. p: PImageBaseRelocation;
     
216. pw: PWord;
     
217. i: Integer;
     
218. begin
     
219. Delta := Cardinal(NewBase) - peH.OptionalHeader.ImageBase;
     
220. p := pointer(cardinal(OldBase) + peH.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
     
221. while (p.VirtualAddress + p.SizeOfBlock <> 0) do
     
222. begin
     
223. pw := pointer(Integer(p) + Sizeof(p^));
     
224. for i := 1 to (p.SizeOfBlock - Sizeof(p^)) div 2 do
     
225. begin
     
226. if pw^ and $F000 = $3000 then
     
227. Inc(PCardinal(Cardinal(OldBase) + p.VirtualAddress + (pw^ and $0FFF))^, Delta);
     
228. inc(pw);
     
229. end;
     
230. p := Pointer(pw);
     
231. end;
     
232. end;
     
233. 
     
234. type
     
235. TZwUnmapViewOfSection = function (Handle, BaseAdr: Cardinal): Cardinal; stdcall;
     
236. 
     
237. { 卸載原外殼佔用內存 }
     
238. function UnloadShell(ProcHnd, BaseAddr: Cardinal): Boolean;
     
239. var
     
240. M: HModule;
     
241. ZwUnmapViewOfSection: TZwUnmapViewOfSection;
     
242. begin
     
243. result := False;
     
244. m := LoadLibrary('ntdll.dll');
     
245. if m <> 0 then
     
246. begin
     
247. ZwUnmapViewOfSection := GetProcAddress(m, 'ZwUnmapViewOfSection');
     
248. if assigned(ZwUnmapViewOfSection) then
     
249. result := (ZwUnmapViewOfSection(ProcHnd, BaseAddr) = 0);
     
250. FreeLibrary(m);
     
251. end;
     
252. end;
     
253. 
     
254. { 創建外殼進程並獲取其基址、大小和當前運行狀態 }
     
255. function CreateChild(Cmd: string; var Ctx: TContext; var ProcHnd, ThrdHnd, ProcId, BaseAddr, ImageSize: Cardinal): Boolean;
     
256. var
     
257. si: TStartUpInfo;
     
258. pi: TProcessInformation;
     
259. Old: Cardinal;
     
260. MemInfo: TMemoryBasicInformation;
     
261. p: Pointer;
     
262. begin
     
263. FillChar(si, Sizeof(si), 0);
     
264. FillChar(pi, SizeOf(pi), 0);
     
265. si.cb := sizeof(si);
     
266. result := CreateProcess(nil, PChar(Cmd), nil, nil, False, Create_SUSPENDED, nil, nil, si, pi); // 以掛起方式運行進程
     
267. if result then
     
268. begin
     
269. ProcHnd := pi.hProcess;
     
270. ThrdHnd := pi.hThread;
     
271. ProcId := pi.dwProcessId;
     
272. 
     
273. { 獲取外殼進程運行狀態，[ctx.Ebx+8]內存處存的是外殼進程的加載基址，ctx.Eax存放有外殼進程的入口地址 }
     
274. ctx.ContextFlags := CONTEXT_FULL;
     
275. GetThreadContext(ThrdHnd, ctx);
     
276. ReadProcessMemory(ProcHnd, Pointer(ctx.Ebx+8), @BaseAddr, SizeOf(Cardinal), Old); // 讀取加載基址
     
277. p := Pointer(BaseAddr);
     
278. 
     
279. { 計算外殼進程佔有的內存 }
     
280. while VirtualQueryEx(ProcHnd, p, MemInfo, Sizeof(MemInfo)) <> 0 do
     
281. begin
     
282. if MemInfo.State = MEM_FREE then
     
283. break;
     
284. p := Pointer(Cardinal(p) + MemInfo.RegionSize);
     
285. end;
     
286. ImageSize := Cardinal(p) - Cardinal(BaseAddr);
     
287. end;
     
288. end;
     
289. 
     
290. { 創建外殼進程並用目標進程替換它然後執行 }
     
291. function AttachPE(CmdParam: string; peH: PImageNtHeaders; peSecH: PImageSectionHeaders;
     
292. Ptr: Pointer; ImageSize: Cardinal; var ProcId: Cardinal): Cardinal;
     
293. var
     
294. s: string;
     
295. Addr, Size: Cardinal;
     
296. ctx: TContext;
     
297. Old: Cardinal;
     
298. p: Pointer;
     
299. Thrd: Cardinal;
     
300. begin
     
301. result := INVALID_HANDLE_VALUE;
     
302. s := PrepareShellExe(CmdParam, peH.OptionalHeader.ImageBase, ImageSize);
     
303. if CreateChild(s, ctx, result, Thrd, ProcId, Addr, Size) then
     
304. begin
     
305. p := nil;
     
306. if (peH.OptionalHeader.ImageBase = Addr) and (Size >= ImageSize) then // 外殼進程可以容納目標進程並且加載地址一致
     
307. begin
     
308. p := Pointer(Addr);
     
309. VirtualProtectEx(result, p, Size, PAGE_EXECUTE_READWRITE, Old);
     
310. end
     
311. else if IsNT then // 98 下失敗
     
312. begin
     
313. if UnloadShell(result, Addr) then // 卸載外殼進程佔有內存
     
314. // 重新按目標進程加載基址和大小分配內存
     
315. p := MyVirtualAllocEx(Result, Pointer(peH.OptionalHeader.ImageBase), ImageSize, MEM_RESERVE or MEM_COMMIT, PAGE_EXECUTE_READWRITE);
     
316. if (p = nil) and hasRelocationTable(peH) then // 分配內存失敗並且目標進程支持重定向
     
317. begin
     
318. // 按任意基址分配內存
     
319. p := MyVirtualAllocEx(result, nil, ImageSize, MEM_RESERVE or MEM_COMMIT, PAGE_EXECUTE_READWRITE);
     
320. if p <> nil then
     
321. DoRelocation(peH, Ptr, p); // 重定向
     
322. end;
     
323. end;
     
324. if p <> nil then
     
325. begin
     
326. WriteProcessMemory(Result, Pointer(ctx.Ebx+8), @p, Sizeof(DWORD), Old); // 重置目標進程運行環境中的基址
     
327. peH.OptionalHeader.ImageBase := Cardinal(p);
     
328. if WriteProcessMemory(Result, p, Ptr, ImageSize, Old) then // 復制PE數據到目標進程
     
329. begin
     
330. ctx.ContextFlags := CONTEXT_FULL;
     
331. if Cardinal(p) = Addr then
     
332. ctx.Eax := peH.OptionalHeader.ImageBase + peH.OptionalHeader.AddressOfEntryPoint // 重置運行環境中的入口地址
     
333. else
     
334. ctx.Eax := Cardinal(p) + peH.OptionalHeader.AddressOfEntryPoint;
     
335. SetThreadContext(Thrd, ctx); // 更新運行環境
     
336. ResumeThread(Thrd); // 執行
     
337. CloseHandle(Thrd);
     
338. end
     
339. else begin // 加載失敗,殺掉外殼進程
     
340. TerminateProcess(Result, 0);
     
341. CloseHandle(Thrd);
     
342. CloseHandle(Result);
     
343. Result := INVALID_HANDLE_VALUE;
     
344. end;
     
345. end
     
346. else begin // 加載失敗,殺掉外殼進程
     
347. TerminateProcess(Result, 0);
     
348. CloseHandle(Thrd);
     
349. CloseHandle(Result);
     
350. Result := INVALID_HANDLE_VALUE;
     
351. end;
     
352. end;
     
353. end;
     
354. 
     
355. function MemExecute(const ABuffer; Len: Integer; CmdParam: string; var ProcessId: Cardinal): Cardinal;
     
356. var
     
357. peH: PImageNtHeaders;
     
358. peSecH: PImageSectionHeaders;
     
359. Ptr: Pointer;
     
360. peSz: Cardinal;
     
361. begin
     
362. result := INVALID_HANDLE_VALUE;
     
363. if alignPEToMem(ABuffer, Len, peH, peSecH, Ptr, peSz) then
     
364. begin
     
365. result := AttachPE(CmdParam, peH, peSecH, Ptr, peSz, ProcessId);
     
366. VirtualFree(Ptr, peSz, MEM_DECOMMIT);
     
367. //VirtualFree(Ptr, 0, MEM_RELEASE);
     
368. end;
     
369. end;
     
370. 
     
371. initialization
     
372. MyVirtualAllocEx := GetProcAddress(GetModuleHandle('Kernel32.dll'), 'VirtualAllocEx');
     
373. 
     
374. end.

複製代碼

1. //Test.dpr
   
2. program Test;
   
3. 
   
4. //{$APPTYPE CONSOLE}
   
5. 
   
6. uses
   
7.   SysUtils,
   
8.   Classes,
   
9.   PEUnit in 'PEUnit.pas';
   
10. 
    
11. var
    
12. ABuffer: array of byte;
    
13. Stream: TFileStream;
    
14. ProcessId: Cardinal;
    
15. begin
    
16. Stream:=TFileStream.Create('Target.exe', fmOpenRead); //加載的程序.exe
    
17. try
    
18. SetLength(ABuffer, Stream.Size);
    
19. Stream.ReadBuffer(ABuffer[0], Stream.Size);
    
20. MemExecute(ABuffer[0], Stream.Size, '', ProcessId);
    
21. finally
    
22. Stream.Free;
    
23. end;
    
24. end.

複製代碼

功用是?秘密執行EXE程序?