5,392
社区成员
发帖
与我相关
我的任务
分享
procedure showDlg; stdcall; export;
begin
ShowMessage('Delphi Dialog');
//MessageBox(0, 'Win32 Dialog', 'Win32 Dialog', MB_OK);
end;
LPVOID GetRelocBase(LPVOID lpModuleBaseAddr)
{
PIMAGE_DOS_HEADER pImg_DOS_Header = (PIMAGE_DOS_HEADER)lpModuleBaseAddr;
PIMAGE_NT_HEADERS pImg_NT_Header = (PIMAGE_NT_HEADERS)((ULONG)pImg_DOS_Header + pImg_DOS_Header->e_lfanew);
_IMAGE_FILE_HEADER FileHeader = pImg_NT_Header->FileHeader;
WORD NumberOfSections = FileHeader.NumberOfSections;
IMAGE_SECTION_HEADER* pIMAGE_SECTION_HEADER = (IMAGE_SECTION_HEADER*)((DWORD)pImg_NT_Header + sizeof(IMAGE_NT_HEADERS));
for (WORD i=0; i<NumberOfSections; i++)
{
if (!lstrcmpiA((CHAR*)(pIMAGE_SECTION_HEADER->Name), ".reloc"))
{
return (LPVOID)((DWORD)lpModuleBaseAddr + pIMAGE_SECTION_HEADER->VirtualAddress);
}
pIMAGE_SECTION_HEADER += 1;
}
return 0;
}
BOOL CWar::DoWork()
{
HMODULE hMod = LoadLibrary(TEXT("Project1.DLL"));
typedef BOOL (*FUNC)();
FUNC HaveFun = (FUNC)GetProcAddress(hMod, "showDlg");
MODULEINFO info;
GetModuleInformation(GetCurrentProcess(), hMod, &info, sizeof(info));
LPVOID lpAlloc = VirtualAlloc(NULL, info.SizeOfImage, MEM_COMMIT, PAGE_READWRITE);
memcpy(lpAlloc, info.lpBaseOfDll, info.SizeOfImage);
LPVOID lpReloc = GetRelocBase(lpAlloc);
LPVOID lpTargAddr = VirtualAllocEx(m_handle, NULL, info.SizeOfImage, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
DWORD dwX = (DWORD)lpTargAddr - (DWORD)info.lpBaseOfDll; // 差值
char* pcurReloc = (char*)lpReloc;
DWORD pBlockRVA;
DWORD dwBlockSize, dwCurSize;
WORD itemRVA;
do
{
pBlockRVA = *(DWORD *)pcurReloc;
dwBlockSize = *(DWORD *)(pcurReloc + 4);
dwCurSize = 8;
pcurReloc += 8;
if ( dwBlockSize > 8 )
{
do
{
itemRVA = *(WORD *)pcurReloc;
pcurReloc += 2;
dwCurSize += 2;
if ( itemRVA >> 12 )
{
if ( itemRVA >> 12 != 3 )
return 4;
*(DWORD *)((char *)lpAlloc + pBlockRVA + (itemRVA & 0xFFF)) += dwX;
}
}
while ( dwCurSize < dwBlockSize );
}
}
while ( dwBlockSize );
DWORD dwTid;
WriteProcessMemory(m_handle, lpTargAddr, lpAlloc, info.SizeOfImage, &dwTid);
HANDLE hThread = CreateRemoteThread(m_handle, NULL, 0, LPTHREAD_START_ROUTINE((char*)HaveFun - (char*)info.lpBaseOfDll + (char*)lpTargAddr), 0, CREATE_DEFAULT_ERROR_MODE, &dwTid);
//WaitForSingleObject(hThread, 10*1000);
VirtualFree(lpAlloc, 0, MEM_RELEASE);
//VirtualFreeEx(m_handle, lpTargAddr, 0, MEM_RELEASE);
return TRUE;
}