Full source code of Route call injected into CIDR Block

[Delphi] All the original code of the route call injected into the CIDR Block (the problem has been solved when Delphi reads the list of monster arrays)

Damn Delphi variable declaration and memory read

Post Code:

// ------------------------- Function for injecting code ----------------------------
{Parameter description:
Inhwnd: Injection window handle
FUNC: pointer to the injected Function
Param: parameter pointer
Paramsize: parameter size
}
Procedure injectfunc (inhwnd: hwnd; FUNC: pointer; Param: pointer; paramsize: DWORD );
VaR
Hprocess_n: thandle;
Threadadd, paramadd: pointer;
Hthread: thandle;
Threadid: DWORD;
Lpnumberofbytes: DWORD;
Begin
Getwindowthreadprocessid (inhwnd, @ threadid); // obtain the window ID
Hprocess_n: = OpenProcess (process_all_access, false, threadid); // open the injected Process
Threadadd: = virtualallocex (hprocess_n, nil, 4096, mem_commit, page_readwrite); // apply to write code space
Writeprocessmemory (hprocess_n, threadadd, func, 4096, lpnumberofbytes); // write function address
Paramadd: = virtualallocex (hprocess_n, nil, paramsize, mem_commit, page_readwrite); // request to write the code parameter space
Writeprocessmemory (hprocess_n, paramadd, Param, paramsize, lpnumberofbytes); // write parameter address
Hthread: = createremotethread (hprocess_n, nil, 0, threadadd, paramadd, 0, lpnumberofbytes); // create a remote thread
Resumethread (hthread); // directly run the thread
Closehandle (hthread); // closes the thread

// According to the modified Code of the goldfish
Virtualfreeex (hprocess_n, threadadd, 4096, mem_release );
Virtualfreeex (hprocess_n, paramadd, paramsize, mem_release); // address of the release application

Closehandle (hprocess_n); // close the opened handle
End;

// ------------------------------- Define a parameter type -----------------------
Type
Tpickcallparam = packed record
Ax, ay: single;
End;
Ppickcallparam = ^ tpickcallparam; // pointer to the structure (in C, the data in this method should be called a struct)

Procedure runcall (P: ppickcallparam); stdcall; // walking call
VaR
Addres, addres1, addres2: pointer;
X, Y: single;
Begin
Addres: = pointer ($0045ec00 );
Addres1: = pointer ($00462620 );
Addres2: = pointer ($0045f000 );
X: = P ^. Ax; // The X coordinate of the destination.
Y: = P ^. Ay; // y coordinate of the destination
ASM
Pushad
MoV eax, dword ptr [$ 8f207c]
MoV eax, dword ptr [eax + $ 1C]
MoV ESI, dword ptr [eax + $20]
MoV ECx, dword ptr [ESI + $ ba0]
Push 1
Call addres
MoV EDI, eax
Lea eax, dword ptr [esp + $18]
Push eax
Push 0
MoV ECx, EDI
Call addres1
Push 0
Push 1
Push EDI
MoV ECx, dword ptr [ESI + $ ba0]
Push 1
Call addres2
MoV eax, dword ptr [$ 8f207c]
MoV eax, dword ptr [eax + $ 1C]
MoV eax, dword ptr [eax + $20]
MoV eax, dword ptr [eax + $ ba0]
MoV eax, dword ptr [eax + $30]
MoV ECx, dword ptr [eax + 4]
MoV eax, X
MoV [ECx + $20], eax
MoV eax, y
MoV [ECx + $28], eax
Popad
End;

End;

Procedure tform1.button1click (Sender: tobject); // perform a button test in the control.

VaR

Callparam: tpickcallparam;
Begin;
Getmem (pname, 33 );
Myhwnd: = findwindow (nil, 'element client'); {find a window handle}
Getwindowthreadprocessid (myhwnd, aproc); {obtain the window ID}
Phnd: = OpenProcess (process_vm_read, false, aproc); {open the Process Handle with full access permission}
If (phnd <> 0) then
Begin

Callparam. Ax: = 1860.0; // assign a value to the injection code Function
Callparam. Ay: = 120.0; // assign a value to the injection code Function

Injectfunc (myhwnd, @ runcall, @ callparam, sizeof (callparam); // run the injection code Function
Sleep (100 );

Closehandle (phnd) // closes the process
End;

End;