对论坛要彻底失去信心了!!!!!!!!!!!!! ( 积分: 100 )

  • 主题发起人 主题发起人 qinglan911
  • 开始时间 开始时间
Q

qinglan911

Unregistered / Unconfirmed
GUEST, unregistred user!
unit APIHook;

interface

uses
SysUtils,
Windows, WinSock, Dialogs, registry;

type
//要HOOK的API函数定义
// TSockProc = function (s: TSocket; var Buf; len, flags: Integer): Integer; stdcall;

Tregproc = function(hKey: hKey; lpValueName: PAnsiChar; Reserved: DWORD; dwType: DWORD; lpData: Pointer; cbData: DWORD): Longint; stdcall;

PJmpCode = ^TJmpCode;
TJmpCode = packed record
JmpCode: BYTE;
Address: Tregproc;
MovEAX: array[0..2] of BYTE;
end;

//--------------------函数声明---------------------------
procedure HookAPI;
procedure UnHookAPI;

var
Oldreg : Tregproc; //原来的API地址
JmpCode : TJmpCode;
Oldproc : array[0..1] of TJmpCode;
Addreg : Pointer; //API地址
TmpJmp : TJmpCode;
ProcessHandle : THandle;

implementation

function GetRootKey(hKey: hKey): Pchar;
begin
if hKey = HKEY_CLASSES_ROOT then
Result := 'HKEY_CLASSES_ROOT'
else if hKey = HKEY_CURRENT_CONFIG then
Result := 'HKEY_CURRENT_CONFIG'
else if hKey = HKEY_LOCAL_MACHINE then
Result := 'HKEY_LOCAL_MACHINE'
else if hKey = HKEY_USERS then
Result := 'HKEY_USERS'
else if hKey = HKEY_PERFORMANCE_DATA then
Result := 'HKEY_PERFORMANCE_DATA'
else
Result := '未知根路径';
end;

{---------------------------------------}
{函数功能:Send函数的HOOK
{函数参数:同Send
{函数返回值:integer
{---------------------------------------}
function Myreg(hKey: hKey; lpValueName: PAnsiChar; Reserved: DWORD; dwType: DWORD; lpData: Pointer; cbData: DWORD): Longint; stdcall;
var
dwSize : cardinal;
yeah : textfile;
str : array of char;
begin
//这个怎么转回来我没写明白,高人指点
{setlength(str,cbData+10);
copymemory(str,@lpData,cbData-1); }
//如需要保存LOG请去掉注释!
{assignfile(yeah,'c:/apihook.ini');
append(yeah);
writeln(yeah,'reg:'+GetRootKey(HKEY)+'1'+STRING(STR)+'1'+string(lpValueName));
closefile(yeah); }

//调用直正的Send函数
WriteProcessMemory(ProcessHandle, Addreg, @Oldproc[0], 8, dwSize);
if MessageDlg('被监视程序即将在注册表中写入值:' + #13 + string(lpValueName) + #13 + '是否允许?', mtWarning, [mbYes, mbNo], 1) = 6 then
begin
Result := Oldreg(hKey, lpValueName, Reserved, dwType, lpData, cbData);
end
else
begin
Result := 0;
end;
JmpCode.Address := @Myreg;
WriteProcessMemory(ProcessHandle, Addreg, @JmpCode, 8, dwSize);
end;

{------------------------------------}
{过程功能:HookAPI
{过程参数:无
{------------------------------------}
procedure HookAPI;
var
DLLModule : THandle;
dwSize : cardinal;
begin
ProcessHandle := GetCurrentProcess;
DLLModule := LoadLibrary('advapi32.dll');
Addreg := GetProcAddress(DLLModule, 'RegSetValueExA'); //取得API地址

JmpCode.JmpCode := $B8;
JmpCode.MovEAX[0] := $FF;
JmpCode.MovEAX[1] := $E0;
JmpCode.MovEAX[2] := 0;

ReadProcessMemory(ProcessHandle, Addreg, @Oldproc[0], 8, dwSize);
JmpCode.Address := @Myreg;
WriteProcessMemory(ProcessHandle, Addreg, @JmpCode, 8, dwSize); //修改Send入口

Oldreg := Addreg;
end;

{------------------------------------}
{过程功能:取消HOOKAPI
{过程参数:无
{------------------------------------}
procedure UnHookAPI;
var
dwSize : cardinal;
begin
WriteProcessMemory(ProcessHandle, Addreg, @Oldproc[0], 8, dwSize);
end;

end.
如何修改这段代码,让它1只监视HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
 
unit APIHook;

interface

uses
SysUtils,
Windows, WinSock, Dialogs, registry;

type
//要HOOK的API函数定义
// TSockProc = function (s: TSocket; var Buf; len, flags: Integer): Integer; stdcall;

Tregproc = function(hKey: hKey; lpValueName: PAnsiChar; Reserved: DWORD; dwType: DWORD; lpData: Pointer; cbData: DWORD): Longint; stdcall;

PJmpCode = ^TJmpCode;
TJmpCode = packed record
JmpCode: BYTE;
Address: Tregproc;
MovEAX: array[0..2] of BYTE;
end;

//--------------------函数声明---------------------------
procedure HookAPI;
procedure UnHookAPI;

var
Oldreg : Tregproc; //原来的API地址
JmpCode : TJmpCode;
Oldproc : array[0..1] of TJmpCode;
Addreg : Pointer; //API地址
TmpJmp : TJmpCode;
ProcessHandle : THandle;

implementation

function GetRootKey(hKey: hKey): Pchar;
begin
if hKey = HKEY_CLASSES_ROOT then
Result := 'HKEY_CLASSES_ROOT'
else if hKey = HKEY_CURRENT_CONFIG then
Result := 'HKEY_CURRENT_CONFIG'
else if hKey = HKEY_LOCAL_MACHINE then
Result := 'HKEY_LOCAL_MACHINE'
else if hKey = HKEY_USERS then
Result := 'HKEY_USERS'
else if hKey = HKEY_PERFORMANCE_DATA then
Result := 'HKEY_PERFORMANCE_DATA'
else
Result := '未知根路径';
end;

{---------------------------------------}
{函数功能:Send函数的HOOK
{函数参数:同Send
{函数返回值:integer
{---------------------------------------}
function Myreg(hKey: hKey; lpValueName: PAnsiChar; Reserved: DWORD; dwType: DWORD; lpData: Pointer; cbData: DWORD): Longint; stdcall;
var
dwSize : cardinal;
yeah : textfile;
str : array of char;
begin
//这个怎么转回来我没写明白,高人指点
{setlength(str,cbData+10);
copymemory(str,@lpData,cbData-1); }
//如需要保存LOG请去掉注释!
{assignfile(yeah,'c:/apihook.ini');
append(yeah);
writeln(yeah,'reg:'+GetRootKey(HKEY)+'1'+STRING(STR)+'1'+string(lpValueName));
closefile(yeah); }

//调用直正的Send函数
WriteProcessMemory(ProcessHandle, Addreg, @Oldproc[0], 8, dwSize);
if MessageDlg('被监视程序即将在注册表中写入值:' + #13 + string(lpValueName) + #13 + '是否允许?', mtWarning, [mbYes, mbNo], 1) = 6 then
begin
Result := Oldreg(hKey, lpValueName, Reserved, dwType, lpData, cbData);
end
else
begin
Result := 0;
end;
JmpCode.Address := @Myreg;
WriteProcessMemory(ProcessHandle, Addreg, @JmpCode, 8, dwSize);
end;

{------------------------------------}
{过程功能:HookAPI
{过程参数:无
{------------------------------------}
procedure HookAPI;
var
DLLModule : THandle;
dwSize : cardinal;
begin
ProcessHandle := GetCurrentProcess;
DLLModule := LoadLibrary('advapi32.dll');
Addreg := GetProcAddress(DLLModule, 'RegSetValueExA'); //取得API地址

JmpCode.JmpCode := $B8;
JmpCode.MovEAX[0] := $FF;
JmpCode.MovEAX[1] := $E0;
JmpCode.MovEAX[2] := 0;

ReadProcessMemory(ProcessHandle, Addreg, @Oldproc[0], 8, dwSize);
JmpCode.Address := @Myreg;
WriteProcessMemory(ProcessHandle, Addreg, @JmpCode, 8, dwSize); //修改Send入口

Oldreg := Addreg;
end;

{------------------------------------}
{过程功能:取消HOOKAPI
{过程参数:无
{------------------------------------}
procedure UnHookAPI;
var
dwSize : cardinal;
begin
WriteProcessMemory(ProcessHandle, Addreg, @Oldproc[0], 8, dwSize);
end;

end.
如何修改这段代码,让它1只监视HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
 
失去信心还来问? 真够顽强的. [:D] [:D]
 
“对论坛要彻底失去信心了”,那还要问做甚?[:D][:D][:D]
这个问题不是很简单吗?用个TStringList变量记下HKEY句柄与实际Key位置的对应关系不就结了?RegSetValueEx的替换函数中,只需把传递过来的hKey在StringList中检索一下就知道是不是HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run键下面了
 
对不起,我是新手!我回答不了你的问题。
以后还请多多关照,我相信有一天能和你共同探讨问题
[:)]
 
哦了
 
此坛以死,转站他坛
 
这是好事,说明你成长了!恭喜恭喜!~~~~
 
看了你发过来的源代码,仅仅截获RegSetValueEx一个函数是不够的,至少还需要截获RegOpenKeyEx/RegCloseKey两个函数,RegOpenKeyEx用于将HKEY句柄和实际的Key位置对应关系添加到TStringList列表中,RegCloseKey用于将要关闭的Key对应关系从列表中去除。再罗嗦一句,TStringList对象怎么保存HKEY句柄和实际的Key位置的对应关系?Strings中存放Key位置字符串,Objects中存放HKEY句柄,StringList.AddObject(sKey, Pointer(hKey));
具体的代码我没空写了(怎一个懒字了得[:D]),你自己看着办吧
 
您必须登录或注册才可回复。

Similar threads

D
关于微软CryptoAPI用PKI加解密的问题 (200分)
2
回复
31
查看
497
devil-li
D
N
C++代码转换到Delphi代码后出现问题。(200分)
回复
10
查看
576
NetSword
N
A
这段代码怎么改才能达到我的要求?(100分)
回复
2
查看
118
andyfing
A
L
写这样的代码是不是很烂啊。。 能否走得出去?(女程序员想换个工作了) (100分)
2
回复
34
查看
815
leisure
L
A
能读懂下面这段程序的人请回回话,黑黑~~~~~~绝对有益~~~~(100分)
2
回复
23
查看
372
aimingoo
A
后退
顶部