[Delphi] API Spoofing

[Nytro]

[snippet] API Spoofing

Author: carbon (cred)

procedure CopyMemory(Destination, Source:Pointer; dwSize:DWORD);
asm
  PUSH ECX
  PUSH ESI
  PUSH EDI
  MOV EDI, Destination
  MOV ESI, Source
  MOV ECX, dwSize
  REP MOVSB
  POP EDI
  POP ESI
  POP ECX
end;

var
  pMsgBoxA: Pointer;
  pOther:   Pointer;
  pCode:    Pointer;
  dwNull:   Pointer;
  dwRelative: DWORD;
  xMessageBoxA: function(hWindow:HWND; lpText:PChar; lpCaption:PChar; uStyle:UINT):UINT; stdcall;
begin
  pMsgBoxA := GetProcAddress(LoadLibraryA('user32.dll'), 'MessageBoxA');
  pOther := GetProcAddress(LoadLibraryA('user32.dll'), 'GetTopWindow');
  pCode := VirtualAlloc(nil, 10, MEM_COMMIT, PAGE_READWRITE);
  if ((Assigned(pMsgBoxA)) and (Assigned(pOther)) and (Assigned(pCode))) then
  begin
    PByte(pCode)^ := $55; // PUSH EBP
    PByte(DWORD(pCode) + 1)^ := $8B; // MOV EBP >>
    PByte(DWORD(pCode) + 2)^ := $EC; // , ESP
    dwRelative := DWORD(pMsgBoxA) - DWORD(pOther);
    PByte(DWORD(pCode) + 3)^ := $E9; // JMP
    PDWORD(DWORD(pCode) + 4)^ := dwRelative - 3; // user32.MessageBoxA // - 3 because the JMP is @ + 3
    VirtualProtect(pOther, 10, PAGE_EXECUTE_READWRITE, @dwNull);
    CopyMemory(pOther, pCode, 10);
    VirtualFree(pCode, 0, MEM_RELEASE);

    xMessageBoxA := Pointer(@GetTopWindow);

    xMessageBoxA(0, 'Spoofed API', 'TEST', 0);

  end;
end.