Aquí tienes el código:
Código Delphi
[-]
uses TlHelp32;
function EnabledDebugPrivilege(const Enabled : Boolean) : Boolean;
var
hTk : THandle;
rtnTemp : Dword;
TokenPri : TOKEN_PRIVILEGES;
const
SE_DEBUG = 'SeDebugPrivilege';
begin
Result := False;
if (OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,hTk)) then
begin
TokenPri.PrivilegeCount := 1;
LookupPrivilegeValue(nil,SE_DEBUG,TokenPri.Privileges[0].Luid);
if Enabled then
TokenPri.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED
else
TokenPri.Privileges[0].Attributes := 0;
rtnTemp := 0;
AdjustTokenPrivileges(hTk,False,TokenPri,sizeof(TokenPri),nil,rtnTemp);
Result := GetLastError = ERROR_SUCCESS;
CloseHandle(hTk);
end;
end;
function GetProcessID(Exename: string): DWORD;
var
hProcSnap: THandle;
pe32: TProcessEntry32;
begin
result := 0;
hProcSnap := CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0);
if hProcSnap <> INVALID_HANDLE_VALUE then
begin
pe32.dwSize := SizeOf(ProcessEntry32);
if Process32First(hProcSnap, pe32) = true then
begin
while Process32Next(hProcSnap, pe32) = true do
begin
if pos(Exename, pe32.szExeFile) <> 0 then
result := pe32.th32ProcessID;
end;
end;
CloseHandle(hProcSnap);
end;
end;
function InjectTo(const Host, Guest: string): DWORD;
var
hRemoteProcess: THandle;
dwRemoteProcessId: DWORD;
memSize: DWORD;
pszLibFileRemote: Pointer;
iReturnCode: Boolean;
TempVar: DWORD;
pfnStartAddr: TFNThreadStartRoutine;
pszLibAFilename: PwideChar;
begin
Result := 0;
EnabledDebugPrivilege(True);
Getmem(pszLibAFilename, Length(Guest) * 2 + 1);
StringToWideChar(Guest, pszLibAFilename, Length(Guest) * 2 + 1);
dwRemoteProcessID:=GetProcessId(host);
hRemoteProcess := OpenProcess(PROCESS_CREATE_THREAD + PROCESS_VM_OPERATION +
PROCESS_VM_WRITE,
FALSE, dwRemoteProcessId);
memSize := (1 + lstrlenW(pszLibAFilename)) * sizeof(WCHAR)*2;
pszLibFileRemote := PWIDESTRING(VirtualAllocEx(hRemoteProcess, nil, memSize, MEM_COMMIT, PAGE_READWRITE));
TempVar := 0;
iReturnCode := WriteProcessMemory(hRemoteProcess, pszLibFileRemote, pszLibAFilename, memSize, TempVar);
if iReturnCode then
begin
pfnStartAddr := GetProcAddress(GetModuleHandle('Kernel32'), 'LoadLibraryW');
TempVar := 0;
Result := CreateRemoteThread(hRemoteProcess, nil, 0, pfnStartAddr, pszLibFileRemote, 0, TempVar);
end;
Freemem(pszLibAFilename);
end;
Ejemplo de uso:
Código Delphi
[-]
begin
InjectTo('notepad.exe', 'C:\MyDll.dll');
end;
Nunca utilices un proceso critíco del sistema. Si tienes alguna duda, pregunta.
Salu2 y suerte.