unit TheBatProto;
interface
implementation
uses
  Common, Windows, TlHelp32, SysUtils;
procedure PatchMemory(H: THandle);
var
  Memory: String;
  Buffer: array[0..1023] of Char;
  P, C: Cardinal;
const
  Replacement: array[1..9] of Char = 'custom://';
  Base = $400000; // should be $ 400000 with no space - forum is mangling $ signs
begin
  P := 0;
  Memory := '';
  repeat
    if ReadProcessMemory(H, Pointer(Base+P), @Buffer, SizeOf(Buffer), C) and (C = SizeOf(Buffer)) then
    begin
      SetLength(Memory, Length(Memory)+SizeOf(Buffer));
      Move(Buffer, Memory[1+P], SizeOf(Buffer));
      Inc(P, SizeOf(Buffer));
    end
    else
      Break;
  until False;
  P := Pos('telnet://', Memory);
  if P>0 then
  begin
    P := Base + P-1;
    VirtualProtectEx(H, Pointer(P), SizeOf(Replacement), PAGE_EXECUTE_WRITECOPY, C);
    WriteProcessMemory(H, Pointer(P), @Replacement, SizeOf(Replacement), C);
  end;
end;
procedure ThreadProc;
var
  hSnapshoot: THandle;
  pe32: TProcessEntry32;
  hProcess: THandle;
  S: String;
  OldProcessID: Cardinal;
begin
  OldProcessID := 0;
  repeat
    WaitForSingleObject(Mutex, INFINITE);
    hSnapshoot := CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    pe32.dwSize := SizeOf(TProcessEntry32);
    if Process32First(hSnapshoot, pe32) then
    repeat
      S := LowerCase(PChar(@pe32.szExeFile[0]));
      if (S='thebat.exe') and (pe32.th32ProcessID <> OldProcessID) then
      begin
        OldProcessID := pe32.th32ProcessID;
        hProcess := OpenProcess(PROCESS_ALL_ACCESS, false, pe32.th32ProcessID);
        if hProcess=0 then
        begin
          //Warning('Can''t open ' + PChar(@pe32.szExeFile[0]));
          Continue;
        end;
        PatchMemory(hProcess);
        CloseHandle(hProcess);
      end;
    until not Process32Next(hSnapshoot, pe32);
    CloseHandle(hSnapshoot);
    ReleaseMutex(Mutex);
    Sl eep(2000);
  until False;
end;
initialization
  Spawn(@ThreadProc, 'TheBatProto');
end.