//Reposter: I have seen an article like this translated by Mr. Lu Lin before. It is a C version. I rewrote it in Delphi without success. I went to Tsinghua BBS today and saw this Delphi version. I posted it here.
Sender: Litoad (Rick), Area: Delphi
Title: The Delphi version of the Self-Delete program is finally done. (reprint)
Sending station: BBS Shuimu Tsinghua Station (Mon Jun 4 20:51:55 2001)
[The following text is reproduced from the PRogramming discussion area]
Sender: Litoad (Rick), Section: Programming
Title: The Delphi version of the Self-Delete program is finally done.
Sending station: BBS Shuimu Tsinghua Station (Mon Jun 4 20:50:42 2001)
I went to Borland's forum and asked, and it is indeed the same as what laoduan said.
GetProcAddress yourself. The code is as follows:
program Project1;
uses
Windows;
procedure DeleteSelf;
var
hModule: THandle;
buff: array[0..255] of Char;
hKernel32: THandle;
pExitProcess, pDeleteFileA, pUnmapViewOfFile: Pointer;
begin
hModule := GetModuleHandle(nil);
GetModuleFileName(hModule, buff, sizeof(buff));
CloseHandle(THandle(4));
hKernel32 := GetModuleHandle('KERNEL32');
pExitProcess := GetProcAddress(hKernel32, 'ExitProcess');
pDeleteFileA := GetProcAddress(hKernel32, 'DeleteFileA');
pUnmapViewOfFile := GetProcAddress(hKernel32, 'UnmapViewOfFile');
asm
LEA EAX, buff
PUSH 0
PUSH 0
PUSH EAX
PUSH pExitProcess
PUSH hModule
PUSH pDeleteFileA
PUSH pUnmapViewOfFile
RET
end;
end;
begin
DeleteSelf;
end.
Now there is one weird thing, that is, the code must be placed in a Procedure.
Putting it directly in the middle of begin...end. will not work. Maybe global variables cannot be used
, but why it cannot be used is still not clear.
Also, instead of GetProcAddress, write directly as follows:
PUSH OFFSET UnmapViewOfFile
The result of the trace is that the execution enters KERNEL32.UnmapViewOfFile, but only after
An error occurred when RET $4 came out of the function, and it jumped to an inexplicable place. why
so? Is it a problem with Delphi's compiler?
In addition, the RE code on the Borland forum is not the above, but the effect is the same as what I wrote.
. But does FreeLibrary(p) have the same effect as UnmapViewOfFile(hModule)?
The code is as follows:
program Project1;
uses
windows;
procedure DeleteSelf;
var
module: HMODULE;
buf : array [ 0 .. MAX_PATH - 1 ] of char;
p:ULONG;
hKrnl32: HMODULE;
pExitProcess, pDeleteFile, pFreeLibrary : pointer;
begin
module := GetModuleHandle ( nil );
GetModuleFileName ( module, buf, sizeof ( buf ) );
CloseHandle ( THandle ( 4 ) );
p := ULONG (module) + 1;
//What does the above sentence mean?
hKrnl32 := GetModuleHandle ( 'kernel32' );
pExitProcess := GetProcAddress ( hKrnl32, 'ExitProcess' );
pDeleteFile := GetProcAddress ( hKrnl32, 'DeleteFileA' );
pFreeLibrary := GetProcAddress ( hKrnl32, 'FreeLibrary' );
asm
lea eax, buf
push 0
push 0
push eax
push pExitProcess
push p
push pDeleteFile
push pFreeLibrary
ret
end;
end;