核心提示://-------------------------注入代码的函数----------------------------{参数说明:InHWND:被注入的窗口句柄Func:注入的函数的指针Para...
//-------------------------注入代码的函数----------------------------{参数说明:
InHWND:被注入的窗口句柄
Func:注入的函数的指针
Param:参数的指针
ParamSize:参数的大小
}
procedure InjectFunc(InHWND: HWND; Func: Pointer; Param: Pointer; ParamSize: DWORD);
var
hProcess_N: THandle;
ThreadAdd, ParamAdd: Pointer;
hThread: THandle;
ThreadID: DWORD;
lpNumberOfBytes:DWORD;
begin
GetWindowThreadProcessId(InHWND, @ThreadID); //获得窗口ID
hProcess_N := OpenProcess(PROCESS_ALL_ACCESS, False, ThreadID);//打开被注入的进程
ThreadAdd := VirtualAllocEx(hProcess_N, nil, 4096, MEM_COMMIT, PAGE_READWRITE); //申请写入代码空间
WriteProcessMemory(hProcess_N, ThreadAdd, Func, 4096, lpNumberOfBytes); //写入函数地址
ParamAdd := VirtualAllocEx(hProcess_N, nil, ParamSize, MEM_COMMIT, PAGE_READWRITE); //申请写入代码参数空间
WriteProcessMemory(hProcess_N, ParamAdd, Param, ParamSize, lpNumberOfBytes); //写入参数地址
hThread := CreateRemoteThread(hProcess_N, nil, 0, ThreadAdd, ParamAdd, 0, lpNumberOfBytes); //创建远程线程
ResumeThread(hThread); //直接运行线程
CloseHandle(hThread); //关闭线程
VirtualFreeEx(hProcess_N, ThreadAdd, 4096, MEM_RELEASE);
VirtualFreeEx(hProcess_N, ParamAdd, ParamSize, MEM_RELEASE); //释放申请的地址
CloseHandle(hProcess_N); //关闭打开的句柄
end;
//-----------------------------定义一个参数类型-----------------------
type
TPickCallParam = packed record
ax, ay: single;
end;
PPickCallParam = ^TPickCallParam; //指向结构的指针(C中叫这种方式的数据应该叫结构体吧)
procedure runCall(p:PPickCallParam);stdcall; // 走路call
var
addres,addres1,addres2:pointer;
x,y:single;
begin
addres:=pointer($0045ec00);
addres1:=pointer($00462620);
addres2:=pointer($0045f000);
x:=p^.ax; //目的地X坐标
y:=p^.ay; //目的地Y坐标
asm
pushad
mov eax, dword ptr [$8f207c]
mov eax, dword ptr [eax+$1C]
mov esi, dword ptr [eax+$20]
mov ecx, dword ptr [esi+$ba0]
push 1
call addres
mov edi, eax
lea eax, dword ptr [esp+$18]
push eax
push 0
mov ecx, edi
call addres1
push 0
push 1
push edi
mov ecx, dword ptr [esi+$ba0]
push 1
call addres2
mov eax, dword ptr [$8f207c]
mov eax, dword ptr [eax+$1C]
mov eax, dword ptr [eax+$20]
mov eax, dword ptr [eax+$ba0]
mov eax, dword ptr [eax+$30]
mov ecx, dword ptr [eax+4]
mov eax, x
mov [ecx+$20], eax
mov eax, y
mov [ecx+$28], eax
popad
end;
END;
procedure TForm1.Button1Click(Sender: TObject);//在控件中做个按钮 测试
var
CallParam:TPickCallParam;
begin;
getmem(pname,33);
myhwnd := FindWindow(nil,'Element Client');{查找窗口句柄}
GetWindowThreadProcessId(myhwnd, aproc); {得到窗口ID}
phnd := OpenProcess(PROCESS_VM_READ , False, aproc);{以完全访问权限打开进程句柄}
if (phnd<>0 ) then
begin
CallParam.ax:= 1860.0; //给注入代码函数赋值
CallParam.ay:=120.0; //给注入代码函数赋值
InjectFunc(myhWnd,@runCall,@CallParam,SizeOf(CallParam)); //运行注入代码函数
sleep(100);
CloseHandle(PHND) //关闭进程
end;
end;