Delphi进程注入的部分代码

//-------------------------注入代码的函数---------------------------- {参数说明: InHWND:被注入的窗口句柄 Func:注入的函数的指针 Param:参数的指针 ParamSize:参数的大小 } procedure InjectFunc(InHWND: HWND; Func: Pointer; Param: Pointer; ParamSize: DWORD); var hProcess_N: THandle; ThreadAdd, ParamAdd: Pointer; hThread: THandle; ThreadID: DWORD; lpNumberOfBytes:DWORD; begin GetWindowThreadProcessId(InHWND, @ThreadID); //获得窗口ID hProcess_N := OpenProcess(PROCESS_ALL_ACCESS, False, ThreadID);//打开被注入的进程 ThreadAdd := VirtualAllocEx(hProcess_N, nil, 4096, MEM_COMMIT, PAGE_READWRITE); //申请写入代码空间 WriteProcessMemory(hProcess_N, ThreadAdd, Func, 4096, lpNumberOfBytes); //写入函数地址 ParamAdd := VirtualAllocEx(hProcess_N, nil, ParamSize, MEM_COMMIT, PAGE_READWRITE); //申请写入代码参数空间 WriteProcessMemory(hProcess_N, ParamAdd, Param, ParamSize, lpNumberOfBytes); //写入参数地址 hThread := CreateRemoteThread(hProcess_N, nil, 0, ThreadAdd, ParamAdd, 0, lpNumberOfBytes); //创建远程线程 ResumeThread(hThread); //直接运行线程 CloseHandle(hThread); //关闭线程 VirtualFreeEx(hProcess_N, ThreadAdd, 4096, MEM_RELEASE); VirtualFreeEx(hProcess_N, ParamAdd, ParamSize, MEM_RELEASE); //释放申请的地址 CloseHandle(hProcess_N); //关闭打开的句柄 end; //-----------------------------定义一个参数类型----------------------- type TPickCallParam = packed record ax, ay: single; end; PPickCallParam = ^TPickCallParam; //指向结构的指针(C中叫这种方式的数据应该叫结构体吧) procedure runCall(p:PPickCallParam);stdcall; // 走路call var addres,addres1,addres2:pointer; x,y:single; begin addres:=pointer($0045ec00); addres1:=pointer($00462620); addres2:=pointer($0045f000); x:=p^.ax; //目的地X坐标 y:=p^.ay; //目的地Y坐标 asm pushad mov eax, dword ptr [$8f207c] mov eax, dword ptr [eax+$1C] mov esi, dword ptr [eax+$20] mov ecx, dword ptr [esi+$ba0] push 1 call addres mov edi, eax lea eax, dword ptr [esp+$18] push eax push 0 mov ecx, edi call addres1 push 0 push 1 push edi mov ecx, dword ptr [esi+$ba0] push 1 call addres2 mov eax, dword ptr [$8f207c] mov eax, dword ptr [eax+$1C] mov eax, dword ptr [eax+$20] mov eax, dword ptr [eax+$ba0] mov eax, dword ptr [eax+$30] mov ecx, dword ptr [eax+4] mov eax, x mov [ecx+$20], eax mov eax, y mov [ecx+$28], eax popad end; END; procedure TForm1.Button1Click(Sender: TObject);//在控件中做个按钮 测试 var CallParam:TPickCallParam; begin; getmem(pname,33); myhwnd := FindWindow(nil,Element Client);{查找窗口句柄} GetWindowThreadProcessId(myhwnd, aproc); {得到窗口ID} phnd := OpenProcess(PROCESS_VM_READ , False, aproc);{以完全访问权限打开进程句柄} if (phnd<>0 ) then begin CallParam.ax:= 1860.0; //给注入代码函数赋值 CallParam.ay:=120.0; //给注入代码函数赋值 InjectFunc(myhWnd,@runCall,@CallParam,SizeOf(CallParam)); //运行注入代码函数 sleep(100); CloseHandle(PHND) //关闭进程 end; end;