Full source code of Route call injected into CIDR Block

Source: Internet
Author: User
[Delphi] All the original code of the route call injected into the CIDR Block (the problem has been solved when Delphi reads the list of monster arrays)

Damn Delphi variable declaration and memory read

Post Code:

// ------------------------- Function for injecting code ----------------------------
{Parameter description:
Inhwnd: Injection window handle
FUNC: pointer to the injected Function
Param: parameter pointer
Paramsize: parameter size
}
Procedure injectfunc (inhwnd: hwnd; FUNC: pointer; Param: pointer; paramsize: DWORD );
VaR
Hprocess_n: thandle;
Threadadd, paramadd: pointer;
Hthread: thandle;
Threadid: DWORD;
Lpnumberofbytes: DWORD;
Begin
Getwindowthreadprocessid (inhwnd, @ threadid); // obtain the window ID
Hprocess_n: = OpenProcess (process_all_access, false, threadid); // open the injected Process
Threadadd: = virtualallocex (hprocess_n, nil, 4096, mem_commit, page_readwrite); // apply to write code space
Writeprocessmemory (hprocess_n, threadadd, func, 4096, lpnumberofbytes); // write function address
Paramadd: = virtualallocex (hprocess_n, nil, paramsize, mem_commit, page_readwrite); // request to write the code parameter space
Writeprocessmemory (hprocess_n, paramadd, Param, paramsize, lpnumberofbytes); // write parameter address
Hthread: = createremotethread (hprocess_n, nil, 0, threadadd, paramadd, 0, lpnumberofbytes); // create a remote thread
Resumethread (hthread); // directly run the thread
Closehandle (hthread); // closes the thread

// According to the modified Code of the goldfish
Virtualfreeex (hprocess_n, threadadd, 4096, mem_release );
Virtualfreeex (hprocess_n, paramadd, paramsize, mem_release); // address of the release application

Closehandle (hprocess_n); // close the opened handle
End;

// ------------------------------- Define a parameter type -----------------------
Type
Tpickcallparam = packed record
Ax, ay: single;
End;
Ppickcallparam = ^ tpickcallparam; // pointer to the structure (in C, the data in this method should be called a struct)

Procedure runcall (P: ppickcallparam); stdcall; // walking call
VaR
Addres, addres1, addres2: pointer;
X, Y: single;
Begin
Addres: = pointer ($0045ec00 );
Addres1: = pointer ($00462620 );
Addres2: = pointer ($0045f000 );
X: = P ^. Ax; // The X coordinate of the destination.
Y: = P ^. Ay; // y coordinate of the destination
ASM
Pushad
MoV eax, dword ptr [$ 8f207c]
MoV eax, dword ptr [eax + $ 1C]
MoV ESI, dword ptr [eax + $20]
MoV ECx, dword ptr [ESI + $ ba0]
Push 1
Call addres
MoV EDI, eax
Lea eax, dword ptr [esp + $18]
Push eax
Push 0
MoV ECx, EDI
Call addres1
Push 0
Push 1
Push EDI
MoV ECx, dword ptr [ESI + $ ba0]
Push 1
Call addres2
MoV eax, dword ptr [$ 8f207c]
MoV eax, dword ptr [eax + $ 1C]
MoV eax, dword ptr [eax + $20]
MoV eax, dword ptr [eax + $ ba0]
MoV eax, dword ptr [eax + $30]
MoV ECx, dword ptr [eax + 4]
MoV eax, X
MoV [ECx + $20], eax
MoV eax, y
MoV [ECx + $28], eax
Popad
End;

End;

Procedure tform1.button1click (Sender: tobject); // perform a button test in the control.

VaR

Callparam: tpickcallparam;
Begin;
Getmem (pname, 33 );
Myhwnd: = findwindow (nil, 'element client'); {find a window handle}
Getwindowthreadprocessid (myhwnd, aproc); {obtain the window ID}
Phnd: = OpenProcess (process_vm_read, false, aproc); {open the Process Handle with full access permission}
If (phnd <> 0) then
Begin

Callparam. Ax: = 1860.0; // assign a value to the injection code Function
Callparam. Ay: = 120.0; // assign a value to the injection code Function

Injectfunc (myhwnd, @ runcall, @ callparam, sizeof (callparam); // run the injection code Function
Sleep (100 );

Closehandle (phnd) // closes the process
End;

End;

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.