Y
yanghaijun
Unregistered / Unconfirmed
GUEST, unregistred user!
我用“Delphi 深入核心编程”中所讲的方法写了个 API Hook 程序,但令我不明白的是,在 cmd.exe 中运行命令(诸如:dir *.* > temp.txt),我却无法勾到 CreateFileW 、<br>MoveFileW 之类,当然在其它一般的使用时是可以勾到的,请问这是何原因。
Y
yanghaijun
Unregistered / Unconfirmed
GUEST, unregistred user!
我用“Delphi 深入核心编程”中所讲的方法写了个 API Hook 程序,但令我不明白的是,在 cmd.exe 中运行命令(诸如:dir *.* > temp.txt),我却无法勾到 CreateFileW 、<br>MoveFileW 之类,当然在其它一般的使用时是可以勾到的,请问这是何原因。
W
wqyzsh
Unregistered / Unconfirmed
GUEST, unregistred user!
在CMD.EXE中,这时只能勾到:<br>CreateFileA,MoveFileA等
余
余远源
Unregistered / Unconfirmed
GUEST, unregistred user!
是的.做不到.如果要完美的話,得寫驅動.<br>我也不確定原因,不知是沒法得到輸入表,還是SetWindowsHookEx没法进入到在控制台中运行的程序。自己做个实验试试看。
Y
yanghaijun
Unregistered / Unconfirmed
GUEST, unregistred user!
我用 API Hook SDK 是可以勾到的(不是驱动,与该书的方法同理),可惜无法得到该 SDK 的源码,并且启动比较慢,有些时候也勾不上。书中方法是不是只能勾住进程而勾不住进程产生的线程?
无
无泪
Unregistered / Unconfirmed
GUEST, unregistred user!
对了,对了!
A
andyzhouap98111
Unregistered / Unconfirmed
GUEST, unregistred user!
请问那本书在那有下载
Y
yanghaijun
Unregistered / Unconfirmed
GUEST, unregistred user!
to 无泪:<br> 有何指教?
T
tt.t
Unregistered / Unconfirmed
GUEST, unregistred user!
2k + sp4测试通过。<br>因为看到你的帖子才作的这个东西,所以代码很乱,许多东西都是从以前的代码东拼西凑出来的,有很大的优化空间。<br>因为你会做这类的东西,所以也没写注释,凑活看吧。<br>下面代码还不能hook仅导出Ordinal的函数,需要的话自己加吧,位置已经留出来了。<br>==============Unit1.pas(Hookdll Loader)==============<br>unit Unit1;<br><br>interface<br><br>uses<br> Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,<br> Dialogs, StdCtrls;<br><br>type<br> TForm1 = class(TForm)<br> Button1: TButton; // only a button<br> procedure Button1Click(Sender: TObject);<br> private<br> public<br> end;<br><br>var<br> Form1: TForm1;<br><br>implementation<br><br>{$R *.dfm}<br><br>const<br> VictimExe = 'c:/winnt/system32/cmd.exe';//'C:/Program Files/Borland/Delphi6/Projects/APIHOOK/test/test.exe';<br> HookDll = 'NewHook.dll';<br><br>var<br> si: STARTUPINFO;<br> pi: PROCESS_INFORMATION;<br><br>function EnabledDebugPrivilege(const bEnabled: Boolean):Boolean;<br>var<br> hToken: THandle;<br> tp: TOKEN_PRIVILEGES;<br> a: DWORD;<br>const<br> SE_DEBUG_NAME = 'SeDebugPrivilege';<br>begin<br> Result:=False;<br> if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken)) then<br> begin<br> tp.PrivilegeCount :=1;<br> LookupPrivilegeValue(nil,SE_DEBUG_NAME ,tp.Privileges[0].Luid);<br> if bEnabled then<br> tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED<br> else<br> tp.Privileges[0].Attributes := 0;<br> a:=0;<br> AdjustTokenPrivileges(hToken,False,tp,SizeOf(tp),nil,a);<br> Result:= GetLastError = ERROR_SUCCESS;<br> CloseHandle(hToken);<br> end;<br>end;<br><br>function InjectDll(hProc:Cardinal; Dll:string):Cardinal;<br>var<br> wDllPath
wideChar;<br> pRemoteointer;<br> cbSize:cardinal;<br> TempVar:Cardinal;<br>begin<br> result:=0;<br> if hProc=0 then exit;<br> EnabledDebugPrivilege(true);<br> cbSize:= length(Dll) * 2 + 21;<br> GetMem(wDllPath,cbSize);<br> StringToWideChar(Dll,wDllPath,cbSize);<br> try<br> pRemote:=VirtualAllocEx( hProc, nil, cbSize, MEM_COMMIT, PAGE_READWRITE);<br> if WriteProcessMemory(hProc,pRemote, wDllPath, cbSize, TempVar) then<br> begin<br> TempVar:=0;<br> Result := CreateRemoteThread(hProc, nil, 0,<br> GetProcAddress(GetModuleHandle('Kernel32'),<br> 'LoadLibraryW'), pRemote, 0, TempVar);<br> VirtualFreeEx(hProc, pRemote, 0, MEM_DECOMMIT or MEM_RELEASE);<br> end;<br> finally<br> FreeMem(wDllPath);<br> end;<br>end;<br><br>procedure CreateVictimProcess(Path: String);<br>begin <br> ZeroMemory(@si, sizeof(STARTUPINFO));<br> si.cb := sizeof(STARTUPINFO);<br> if not CreateProcess(PChar(Path), nil, nil, nil, False, CREATE_SUSPENDED or CREATE_DEFAULT_ERROR_MODE, nil, nil, si, pi) then<br> begin<br> ShowMessage('CreateProcess failed!');<br> exit;<br> end;<br>end;<br><br>procedure TForm1.Button1Click(Sender: TObject);<br>begin<br> CreateVictimProcess(VictimExe);<br> InjectDll(pi.hProcess, HookDll);<br> Sleep(20);<br> ResumeThread(pi.hThread);<br>end;<br><br>end.<br>============NewHook.dpr(NewHook.dll)=============<br>library NewHook;<br><br>uses<br> JwaWinType,<br> JwaWinNt,<br> JwaWinUser,<br> JwaWinBase,<br> JwaWinGdi,<br> Classes,<br> SysUtils;<br><br>const<br> Func2Hook = 'CreateFileW';<br> FuncInDll = 'Kernel32.dll';<br><br>var<br> pFunc: Pointer = nil;<br> pOriginFunc: Pointer;<br><br>function NewCreateFileW(lpFileName: LPCWSTR; dwDesiredAccess, dwShareMode: DWORD;<br> lpSecurityAttributes: LPSECURITY_ATTRIBUTES; dwCreationDisposition: DWORD;<br> dwFlagsAndAttributes: DWORD; hTemplateFile: HANDLE): HANDLE; stdcall;<br>var<br>oc: function (lpFileName: LPCWSTR; dwDesiredAccess, dwShareMode: DWORD;<br> lpSecurityAttributes: LPSECURITY_ATTRIBUTES; dwCreationDisposition: DWORD;<br> dwFlagsAndAttributes: DWORD; hTemplateFile: HANDLE): HANDLE; stdcall;<br>dc:hdc;<br>begin<br> dc := getdc(0);<br> textout(dc, 20, 20, 'CreateFileW!', 12);<br> releasedc(0, dc);<br> oc := pOriginFunc;<br> oc(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition,<br> dwFlagsAndAttributes, hTemplateFile);<br>end;<br><br>function NewMessageBoxA(AWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;<br>var<br> ofunc: function (AWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;<br>begin<br> ofunc := pOriginFunc;<br> result := ofunc(AWnd, PChar('Hooked!!! ' + lpText), lpCaption, uType);<br>end;<br><br>function FuncInImage: Cardinal; //Return ImageBase<br>var<br> peb, ldr, flink, p, bs,epDWORD;<br>begin<br> result := 0;<br> asm<br> mov eax,fs:[$30]<br> mov peb,eax<br> end;<br> ldr:=pointer(dword(pointer(dword(peb)+12)^));<br> flink:=pointer(dword(pointer(dword(ldr)+12)^));<br> p:=flink;<br> repeat<br> bs:=pointer(pointer(dword(p)+$18)^); // Base address<br> ep:=pointer(pointer(dword(p)+$20)^); // Size of image<br> if (DWORD(pFunc) > DWORD(bs)) and (DWORD(pFunc) < DWORD(bs) + DWORD(ep)) then<br> begin<br> result := DWORD(bs);<br> Break;<br> end;<br> p:=pointer(dword(p^));<br> until dword(flink)=dword(p^);<br>end;<br><br>procedure FixExport(ImageBase: Cardinal);<br>var<br> PFileHeader: PImageFileHeader;<br> POptionalHeader32: PImageOptionalHeader32;<br> PExportDirectory: PImageExportDirectory;<br> PDataDirectory: PImageDataDirectory;<br><br> ExpCount: integer;<br> pAddr: PDWORD;<br> pName0, pName1: PDWORD;<br> pOrdinal0, pOrdinal1: PWORD;<br> ExpFound: Boolean;<br> i, j: Cardinal;<br>begin<br> PFileHeader := PImageFileHeader(ImageBase + PImageDosHeader(ImageBase)^.e_lfanew + 4);<br> POptionalHeader32 := PImageOptionalHeader32(DWORD(PFileHeader) + IMAGE_SIZEOF_FILE_HEADER);<br> PDataDirectory := PImageDataDirectory(@POptionalHeader32^.DataDirectory[0]);<br> inc(PDataDirectory, IMAGE_DIRECTORY_ENTRY_EXPORT);<br> PExportDirectory := PImageExportDirectory(ImageBase +PDataDirectory^.VirtualAddress);<br><br> ExpCount := PExportDirectory^.NumberOfFunctions;<br> pAddr := Pointer(ImageBase + PExportDirectory^.AddressOfFunctions);<br> pName0 := Pointer(ImageBase + PExportDirectory^.AddressOfNames);<br> pOrdinal0 := Pointer(ImageBase + PExportDirectory^.AddressOfNameOrdinals);<br><br> for i := 0 to ExpCount - 1 do<br> begin<br> if pAddr^ <> 0 then<br> begin<br> ExpFound := false;<br> pName1 := pName0;<br> pOrdinal1 := pOrdinal0;<br> for j := 0 to PExportDirectory^.NumberOfNames - 1 do <br> begin<br> if pOrdinal1^ = i then<br> begin<br> if PChar(ImageBase + pName1^) = Func2Hook then<br> begin<br> ExpFound := true;<br> pOriginFunc := Pointer(ImageBase + pAddr^);<br> break;<br> end;<br> end;<br> inc(pOrdinal1);<br> inc(pName1);<br> end; // for j<br> if ExpFound then<br> begin<br> Break;<br>// tmpExp^.Orindal := pOrdinal1^ + ExpPtr^.Base;<br> end;<br>// else<br>// tmpExp^.Orindal := i + ExpPtr^.Base;<br><br> end; //if pAddr^ <> 0<br> inc(pAddr);<br> end; // for i<br> virtualprotect(pAddr, 4, $40, @i);<br> pAddr^ := DWORD(@NewCreateFileW) - ImageBase;<br>end;<br><br>function FuncUsed(ImageBase: Cardinal): Pointer;<br>var<br> PFileHeader: PImageFileHeader;<br> POptionalHeader32: PImageOptionalHeader32;<br> PImportDecriptor: PImageImportDecriptor;<br> PDataDirectory: PImageDataDirectory;<br> i, j: integer;<br>begin<br> result := nil;<br> PFileHeader := PImageFileHeader(ImageBase + PImageDosHeader(ImageBase)^.e_lfanew + 4);<br> POptionalHeader32 := PImageOptionalHeader32(DWORD(PFileHeader) + IMAGE_SIZEOF_FILE_HEADER);<br> PDataDirectory := PImageDataDirectory(@POptionalHeader32^.DataDirectory[0]);<br> inc(PDataDirectory, IMAGE_DIRECTORY_ENTRY_IMPORT);<br> if PDataDirectory^.Size = 0 then<br> exit;<br> PImportDecriptor := PImageImportDecriptor(ImageBase +PDataDirectory^.VirtualAddress);<br><br> while (PImportDecriptor^.Union.OriginalFirstThunk <> 0) or (PImportDecriptor^.TimeDateStamp <> 0) or<br> (PImportDecriptor^.ForwarderChain <> 0) or (PImportDecriptor^.Name <> 0) or (PImportDecriptor^.FirstThunk <> 0) do<br> begin<br> if CompareText(PChar(ImageBase + PImportDecriptor^.Name), FuncInDll)=0 then<br> begin<br>// if PImportDecriptor^.Union.OriginalFirstThunk <> 0 then<br>// j := ImageBase + PImportDecriptor^.Union.OriginalFirstThunk<br>// else<br> j := ImageBase + PImportDecriptor^.FirstThunk;<br> while PDWORD(j)^ <> 0 do<br> begin<br> if PDWORD(j)^ and IMAGE_ORDINAL_FLAG32 = 0 then<br> begin<br> if PDWORD(j)^ = DWORD(pOriginFunc) then<br> begin<br>// asm int 3 end;<br> virtualprotect(Pointer(j), 4, $40, @i);<br> PDWORD(j)^ := DWORD(@NewCreateFileW);<br> end;<br> //<br> // Ordinal only support here<br> //<br> end;<br> inc(j, 4);<br> end;<br> end;<br> inc(PImportDecriptor);<br> end;<br>end;<br><br>procedure FixImport;<br>var<br> peb, ldr, flink, p, bsDWORD;<br>begin<br> asm<br> mov eax,fs:[$30]<br> mov peb,eax<br> end;<br> ldr:=pointer(dword(pointer(dword(peb)+12)^));<br> flink:=pointer(dword(pointer(dword(ldr)+12)^));<br> p:=flink;<br> repeat<br> bs:=pointer(pointer(dword(p)+$18)^); // Base address<br> FuncUsed(DWORD(bs));<br> p:=pointer(dword(p^));<br> until dword(flink)=dword(p^);<br>end;<br><br>procedure EntryPointProc(Reason: Integer);<br>var<br> ExpImageBase: Cardinal;<br>begin <br> if Reason <> DLL_PROCESS_ATTACH then<br> exit;<br> pFunc := GetProcAddress(GetModuleHandle(FuncInDll), Func2Hook);<br> ExpImageBase := FuncInImage;<br> if ExpImageBase <> GetModuleHandle(nil) then<br> FixExport(ExpImageBase);<br> FixImport;<br>end;<br><br>begin <br> DllProc := @EntryPointProc;<br> EntryPointProc(DLL_PROCESS_ATTACH);<br>end.
wideChar;<br> pRemoteointer;<br> cbSize:cardinal;<br> TempVar:Cardinal;<br>begin<br> result:=0;<br> if hProc=0 then exit;<br> EnabledDebugPrivilege(true);<br> cbSize:= length(Dll) * 2 + 21;<br> GetMem(wDllPath,cbSize);<br> StringToWideChar(Dll,wDllPath,cbSize);<br> try<br> pRemote:=VirtualAllocEx( hProc, nil, cbSize, MEM_COMMIT, PAGE_READWRITE);<br> if WriteProcessMemory(hProc,pRemote, wDllPath, cbSize, TempVar) then<br> begin<br> TempVar:=0;<br> Result := CreateRemoteThread(hProc, nil, 0,<br> GetProcAddress(GetModuleHandle('Kernel32'),<br> 'LoadLibraryW'), pRemote, 0, TempVar);<br> VirtualFreeEx(hProc, pRemote, 0, MEM_DECOMMIT or MEM_RELEASE);<br> end;<br> finally<br> FreeMem(wDllPath);<br> end;<br>end;<br><br>procedure CreateVictimProcess(Path: String);<br>begin <br> ZeroMemory(@si, sizeof(STARTUPINFO));<br> si.cb := sizeof(STARTUPINFO);<br> if not CreateProcess(PChar(Path), nil, nil, nil, False, CREATE_SUSPENDED or CREATE_DEFAULT_ERROR_MODE, nil, nil, si, pi) then<br> begin<br> ShowMessage('CreateProcess failed!');<br> exit;<br> end;<br>end;<br><br>procedure TForm1.Button1Click(Sender: TObject);<br>begin<br> CreateVictimProcess(VictimExe);<br> InjectDll(pi.hProcess, HookDll);<br> Sleep(20);<br> ResumeThread(pi.hThread);<br>end;<br><br>end.<br>============NewHook.dpr(NewHook.dll)=============<br>library NewHook;<br><br>uses<br> JwaWinType,<br> JwaWinNt,<br> JwaWinUser,<br> JwaWinBase,<br> JwaWinGdi,<br> Classes,<br> SysUtils;<br><br>const<br> Func2Hook = 'CreateFileW';<br> FuncInDll = 'Kernel32.dll';<br><br>var<br> pFunc: Pointer = nil;<br> pOriginFunc: Pointer;<br><br>function NewCreateFileW(lpFileName: LPCWSTR; dwDesiredAccess, dwShareMode: DWORD;<br> lpSecurityAttributes: LPSECURITY_ATTRIBUTES; dwCreationDisposition: DWORD;<br> dwFlagsAndAttributes: DWORD; hTemplateFile: HANDLE): HANDLE; stdcall;<br>var<br>oc: function (lpFileName: LPCWSTR; dwDesiredAccess, dwShareMode: DWORD;<br> lpSecurityAttributes: LPSECURITY_ATTRIBUTES; dwCreationDisposition: DWORD;<br> dwFlagsAndAttributes: DWORD; hTemplateFile: HANDLE): HANDLE; stdcall;<br>dc:hdc;<br>begin<br> dc := getdc(0);<br> textout(dc, 20, 20, 'CreateFileW!', 12);<br> releasedc(0, dc);<br> oc := pOriginFunc;<br> oc(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition,<br> dwFlagsAndAttributes, hTemplateFile);<br>end;<br><br>function NewMessageBoxA(AWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;<br>var<br> ofunc: function (AWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;<br>begin<br> ofunc := pOriginFunc;<br> result := ofunc(AWnd, PChar('Hooked!!! ' + lpText), lpCaption, uType);<br>end;<br><br>function FuncInImage: Cardinal; //Return ImageBase<br>var<br> peb, ldr, flink, p, bs,epDWORD;<br>begin<br> result := 0;<br> asm<br> mov eax,fs:[$30]<br> mov peb,eax<br> end;<br> ldr:=pointer(dword(pointer(dword(peb)+12)^));<br> flink:=pointer(dword(pointer(dword(ldr)+12)^));<br> p:=flink;<br> repeat<br> bs:=pointer(pointer(dword(p)+$18)^); // Base address<br> ep:=pointer(pointer(dword(p)+$20)^); // Size of image<br> if (DWORD(pFunc) > DWORD(bs)) and (DWORD(pFunc) < DWORD(bs) + DWORD(ep)) then<br> begin<br> result := DWORD(bs);<br> Break;<br> end;<br> p:=pointer(dword(p^));<br> until dword(flink)=dword(p^);<br>end;<br><br>procedure FixExport(ImageBase: Cardinal);<br>var<br> PFileHeader: PImageFileHeader;<br> POptionalHeader32: PImageOptionalHeader32;<br> PExportDirectory: PImageExportDirectory;<br> PDataDirectory: PImageDataDirectory;<br><br> ExpCount: integer;<br> pAddr: PDWORD;<br> pName0, pName1: PDWORD;<br> pOrdinal0, pOrdinal1: PWORD;<br> ExpFound: Boolean;<br> i, j: Cardinal;<br>begin<br> PFileHeader := PImageFileHeader(ImageBase + PImageDosHeader(ImageBase)^.e_lfanew + 4);<br> POptionalHeader32 := PImageOptionalHeader32(DWORD(PFileHeader) + IMAGE_SIZEOF_FILE_HEADER);<br> PDataDirectory := PImageDataDirectory(@POptionalHeader32^.DataDirectory[0]);<br> inc(PDataDirectory, IMAGE_DIRECTORY_ENTRY_EXPORT);<br> PExportDirectory := PImageExportDirectory(ImageBase +PDataDirectory^.VirtualAddress);<br><br> ExpCount := PExportDirectory^.NumberOfFunctions;<br> pAddr := Pointer(ImageBase + PExportDirectory^.AddressOfFunctions);<br> pName0 := Pointer(ImageBase + PExportDirectory^.AddressOfNames);<br> pOrdinal0 := Pointer(ImageBase + PExportDirectory^.AddressOfNameOrdinals);<br><br> for i := 0 to ExpCount - 1 do<br> begin<br> if pAddr^ <> 0 then<br> begin<br> ExpFound := false;<br> pName1 := pName0;<br> pOrdinal1 := pOrdinal0;<br> for j := 0 to PExportDirectory^.NumberOfNames - 1 do <br> begin<br> if pOrdinal1^ = i then<br> begin<br> if PChar(ImageBase + pName1^) = Func2Hook then<br> begin<br> ExpFound := true;<br> pOriginFunc := Pointer(ImageBase + pAddr^);<br> break;<br> end;<br> end;<br> inc(pOrdinal1);<br> inc(pName1);<br> end; // for j<br> if ExpFound then<br> begin<br> Break;<br>// tmpExp^.Orindal := pOrdinal1^ + ExpPtr^.Base;<br> end;<br>// else<br>// tmpExp^.Orindal := i + ExpPtr^.Base;<br><br> end; //if pAddr^ <> 0<br> inc(pAddr);<br> end; // for i<br> virtualprotect(pAddr, 4, $40, @i);<br> pAddr^ := DWORD(@NewCreateFileW) - ImageBase;<br>end;<br><br>function FuncUsed(ImageBase: Cardinal): Pointer;<br>var<br> PFileHeader: PImageFileHeader;<br> POptionalHeader32: PImageOptionalHeader32;<br> PImportDecriptor: PImageImportDecriptor;<br> PDataDirectory: PImageDataDirectory;<br> i, j: integer;<br>begin<br> result := nil;<br> PFileHeader := PImageFileHeader(ImageBase + PImageDosHeader(ImageBase)^.e_lfanew + 4);<br> POptionalHeader32 := PImageOptionalHeader32(DWORD(PFileHeader) + IMAGE_SIZEOF_FILE_HEADER);<br> PDataDirectory := PImageDataDirectory(@POptionalHeader32^.DataDirectory[0]);<br> inc(PDataDirectory, IMAGE_DIRECTORY_ENTRY_IMPORT);<br> if PDataDirectory^.Size = 0 then<br> exit;<br> PImportDecriptor := PImageImportDecriptor(ImageBase +PDataDirectory^.VirtualAddress);<br><br> while (PImportDecriptor^.Union.OriginalFirstThunk <> 0) or (PImportDecriptor^.TimeDateStamp <> 0) or<br> (PImportDecriptor^.ForwarderChain <> 0) or (PImportDecriptor^.Name <> 0) or (PImportDecriptor^.FirstThunk <> 0) do<br> begin<br> if CompareText(PChar(ImageBase + PImportDecriptor^.Name), FuncInDll)=0 then<br> begin<br>// if PImportDecriptor^.Union.OriginalFirstThunk <> 0 then<br>// j := ImageBase + PImportDecriptor^.Union.OriginalFirstThunk<br>// else<br> j := ImageBase + PImportDecriptor^.FirstThunk;<br> while PDWORD(j)^ <> 0 do<br> begin<br> if PDWORD(j)^ and IMAGE_ORDINAL_FLAG32 = 0 then<br> begin<br> if PDWORD(j)^ = DWORD(pOriginFunc) then<br> begin<br>// asm int 3 end;<br> virtualprotect(Pointer(j), 4, $40, @i);<br> PDWORD(j)^ := DWORD(@NewCreateFileW);<br> end;<br> //<br> // Ordinal only support here<br> //<br> end;<br> inc(j, 4);<br> end;<br> end;<br> inc(PImportDecriptor);<br> end;<br>end;<br><br>procedure FixImport;<br>var<br> peb, ldr, flink, p, bsDWORD;<br>begin<br> asm<br> mov eax,fs:[$30]<br> mov peb,eax<br> end;<br> ldr:=pointer(dword(pointer(dword(peb)+12)^));<br> flink:=pointer(dword(pointer(dword(ldr)+12)^));<br> p:=flink;<br> repeat<br> bs:=pointer(pointer(dword(p)+$18)^); // Base address<br> FuncUsed(DWORD(bs));<br> p:=pointer(dword(p^));<br> until dword(flink)=dword(p^);<br>end;<br><br>procedure EntryPointProc(Reason: Integer);<br>var<br> ExpImageBase: Cardinal;<br>begin <br> if Reason <> DLL_PROCESS_ATTACH then<br> exit;<br> pFunc := GetProcAddress(GetModuleHandle(FuncInDll), Func2Hook);<br> ExpImageBase := FuncInImage;<br> if ExpImageBase <> GetModuleHandle(nil) then<br> FixExport(ExpImageBase);<br> FixImport;<br>end;<br><br>begin <br> DllProc := @EntryPointProc;<br> EntryPointProc(DLL_PROCESS_ATTACH);<br>end.
Y
yanghaijun
Unregistered / Unconfirmed
GUEST, unregistred user!
谢谢先,我试试看
T
tt.t
Unregistered / Unconfirmed
GUEST, unregistred user!
这个东西现在还有问题,我还要再改改
T
tt.t
Unregistered / Unconfirmed
GUEST, unregistred user!
改进完成,试试这个<br>//------------------------------<br>object Form1: TForm1<br> Left = 195<br> Top = 109<br> Width = 248<br> Height = 167<br> Caption = 'Form1'<br> Color = clBtnFace<br> Font.Charset = DEFAULT_CHARSET<br> Font.Color = clWindowText<br> Font.Height = -11<br> Font.Name = 'MS Sans Serif'<br> Font.Style = []<br> OldCreateOrder = False<br> PixelsPerInch = 96<br> TextHeight = 13<br> object Button1: TButton<br> Left = 48<br> Top = 72<br> Width = 145<br> Height = 57<br> Caption = 'Button1'<br> TabOrder = 0<br> OnClick = Button1Click<br> end<br> object RadioButton1: TRadioButton<br> Left = 64<br> Top = 8<br> Width = 113<br> Height = 17<br> Caption = 'cmd.exe'<br> Checked = True<br> TabOrder = 1<br> TabStop = True<br> end<br> object RadioButton2: TRadioButton<br> Left = 64<br> Top = 40<br> Width = 113<br> Height = 17<br> Caption = 'fsg.exe'<br> TabOrder = 2<br> end<br>end<br>//-----------------------------<br>unit Unit1;<br><br>interface<br><br>uses<br> Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,<br> Dialogs, StdCtrls;<br><br>type<br> TForm1 = class(TForm)<br> Button1: TButton;<br> RadioButton1: TRadioButton;<br> RadioButton2: TRadioButton;<br> procedure Button1Click(Sender: TObject);<br> private<br> public<br> end;<br><br>var<br> Form1: TForm1;<br><br>implementation<br><br>{$R *.dfm}<br><br>const<br> HookDll = 'C:/Program Files/Borland/Delphi6/Projects/APIHOOK/HookDll/HookDll.dll';<br><br>var<br> si: STARTUPINFO;<br> pi: PROCESS_INFORMATION;<br><br>function EnabledDebugPrivilege(const bEnabled: Boolean):Boolean;<br>var<br> hToken: THandle;<br> tp: TOKEN_PRIVILEGES;<br> a: DWORD;<br>const<br> SE_DEBUG_NAME = 'SeDebugPrivilege';<br>begin<br> Result:=False;<br> if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken)) then<br> begin<br> tp.PrivilegeCount :=1;<br> LookupPrivilegeValue(nil,SE_DEBUG_NAME ,tp.Privileges[0].Luid);<br> if bEnabled then<br> tp.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED<br> else<br> tp.Privileges[0].Attributes := 0;<br> a:=0;<br> AdjustTokenPrivileges(hToken,False,tp,SizeOf(tp),nil,a);<br> Result:= GetLastError = ERROR_SUCCESS;<br> CloseHandle(hToken);<br> end;<br>end;<br><br>function InjectDll(hProc:Cardinal; Dll:string):Cardinal;<br>var<br> wDllPathwideChar;<br> pRemoteointer;<br> cbSize:cardinal;<br> TempVar:Cardinal;<br>begin<br> result:=0;<br> if hProc=0 then exit;<br> EnabledDebugPrivilege(true);<br> cbSize:= length(Dll) * 2 + 21;<br> GetMem(wDllPath,cbSize);<br> StringToWideChar(Dll,wDllPath,cbSize);<br> try<br> pRemote:=VirtualAllocEx( hProc, nil, cbSize, MEM_COMMIT, PAGE_READWRITE);<br> if WriteProcessMemory(hProc,pRemote, wDllPath, cbSize, TempVar) then<br> begin<br> TempVar:=0;<br> Result := CreateRemoteThread(hProc, nil, 0,<br> GetProcAddress(GetModuleHandle('Kernel32'),<br> 'LoadLibraryW'), pRemote, 0, TempVar);<br> VirtualFreeEx(hProc, pRemote, 0, MEM_DECOMMIT or MEM_RELEASE);<br> end;<br> finally<br> FreeMem(wDllPath);<br> end;<br>end;<br><br>procedure CreateVictimProcess(Path: String);<br>begin <br> ZeroMemory(@si, sizeof(STARTUPINFO));<br> si.cb := sizeof(STARTUPINFO);<br> if not CreateProcess(PChar(Path), nil, nil, nil, False, CREATE_SUSPENDED or CREATE_DEFAULT_ERROR_MODE, nil,<br> PChar(ExtractFilePath(Path)), si, pi) then<br> begin<br> ShowMessage('CreateProcess failed! ' + syserrormessage(getlasterror));<br> exit;<br> end;<br>end;<br><br>procedure TForm1.Button1Click(Sender: TObject);<br>var<br> VictimExe: string;<br>begin<br> if RadioButton1.Checked then<br> VictimExe := 'c:/winnt/system32/cmd.exe'<br> else<br> VictimExe := 'E:/CB/fsg/fsg.exe';<br> CreateVictimProcess(VictimExe);<br> InjectDll(pi.hProcess, HookDll);<br> Sleep(20);<br> ResumeThread(pi.hThread);<br>end;<br><br>end.<br>//-----------------------------<br>library NewHook;<br><br>uses<br> {Jedi header}<br> JwaWinType,<br> JwaWinNt,<br> JwaWinUser,<br> JwaWinBase,<br> JwaWinGdi,<br> JwaWinNLS;<br><br>const<br> Func2Hook: PChar = 'CreateFileW';<br> FuncInDll: PChar = 'Kernel32.dll';<br><br>var<br> pOriginFunc: Pointer = nil;<br> pNewFunc: Pointer = nil;<br> DllHash: Cardinal = 0;<br> MainProcImageBase: Cardinal = 0;<br> MainProcImageSize: Cardinal = 0; <br><br>function NewCreateFileW(lpFileName: LPCWSTR; dwDesiredAccess, dwShareMode: DWORD;<br> lpSecurityAttributes: LPSECURITY_ATTRIBUTES; dwCreationDisposition: DWORD;<br> dwFlagsAndAttributes: DWORD; hTemplateFile: HANDLE): HANDLE; stdcall;<br>var<br> oc: function (lpFileName: LPCWSTR; dwDesiredAccess, dwShareMode: DWORD;<br> lpSecurityAttributes: LPSECURITY_ATTRIBUTES; dwCreationDisposition: DWORD;<br> dwFlagsAndAttributes: DWORD; hTemplateFile: HANDLE): HANDLE; stdcall;<br> dc:hdc;<br> Path: PChar;<br> lPath: Cardinal;<br> FileName: String;<br> RtnAddress: DWORD;<br>begin<br> asm<br> mov eax, [esp + $C] //overleap 3 "push", generated by compiler<br> mov RtnAddress, eax<br> end;<br>// if (RtnAddress >= MainProcImageBase) and (RtnAddress <= MainProcImageBase + MainProcImageSize) then<br> begin<br> {the call is from the main process }<br> dc := getdc(0);<br> textout(dc, 10, 20, PChar(Func2Hook + ' detected!'), length(Func2Hook) + 10); //show we did it!<br> releasedc(0, dc);<br> end;<br> lPath := GetCurrentDirectory(0, nil);<br> GetMem(Path, lPath);<br> ZeroMemory(Path, lPath);<br> GetCurrentDirectory(lPath, Path);<br> FileName := WideCharToString(lpFileName);<br> try<br> MessageBox(0, PChar('File path: ' + Path + FileName), 'CreateFileW Notify', MB_OK);<br> finally<br> FreeMem(Path);<br> end;<br> oc := pOriginFunc;<br> result := oc(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition,<br> dwFlagsAndAttributes, hTemplateFile);<br>end;<br><br>(*************************************************)<br>(* *)<br>(* Hook Process Start Here *)<br>(* *)<br>(*************************************************)<br><br><br>function CalcHash(pText: Pointer): Cardinal;<br>begin<br> result := 0;<br> while PByte(pText)^ <> 0 do<br> begin<br> result := ((result shl 5) or (result shr 15)) + PByte(pText)^;<br> if (PByte(pText)^ >= $61) and (PByte(pText)^ <= $7A) then //UpperCase (Makes hash case insensitive)<br> dec(result, 32);<br> inc(PByte(pText));<br> end;<br>end;<br><br>function GetSectionPtr(ImageBase: Cardinal; SectionIndex: integer): Pointer;<br>var<br> PFileHeader: PImageFileHeader;<br> POptionalHeader32: PImageOptionalHeader32;<br> PDataDirectory: PImageDataDirectory;<br>begin<br> result := nil;<br> PFileHeader := PImageFileHeader(ImageBase + DWORD(PImageDosHeader(ImageBase)^.e_lfanew) + 4);<br> POptionalHeader32 := PImageOptionalHeader32(DWORD(PFileHeader) + IMAGE_SIZEOF_FILE_HEADER);<br> PDataDirectory := PImageDataDirectory(@POptionalHeader32^.DataDirectory[0]);<br> inc(PDataDirectory, SectionIndex); <br> if PDataDirectory^.Size = 0 then<br> exit;<br> result := PImageExportDirectory(ImageBase +PDataDirectory^.VirtualAddress);<br>end;<br><br>procedure FixExport(ImageBase: Cardinal; OriginExpRVA: DWORD; NewExpRVA: DWORD);<br>var<br> PExportDirectory: PImageExportDirectory;<br> pAddr: PDWORD;<br> i, OldProtect: Cardinal;<br>begin<br> PExportDirectory := GetSectionPtr(ImageBase, IMAGE_DIRECTORY_ENTRY_EXPORT);<br> if PExportDirectory = nil then<br> exit;<br><br> pAddr := Pointer(ImageBase + PExportDirectory^.AddressOfFunctions);<br> for i := 0 to PExportDirectory^.NumberOfFunctions - 1 do<br> begin<br> if ImageBase + pAddr^ = OriginExpRVA then<br> begin<br> VirtualProtect(pAddr, SizeOf(DWORD), PAGE_READWRITE, @OldProtect);<br> pAddr^ := NewExpRVA;<br> VirtualProtect(pAddr, SizeOf(DWORD), OldProtect, @OldProtect);<br> Break;<br> end;<br> inc(pAddr);<br> end; // for i<br>end;<br><br>procedure FixImport(ImageBase: Cardinal; OriginAddr: DWORD; NewAddr: DWORD);<br>var<br> PImportDecriptor: PImageImportDecriptor;<br> TmpVar: DWORD;<br> pThunk: PDWORD;<br>begin<br> PImportDecriptor := GetSectionPtr(ImageBase, IMAGE_DIRECTORY_ENTRY_IMPORT);<br> if PImportDecriptor = nil then<br> exit;<br><br> while PImportDecriptor^.FirstThunk <> 0 do //After loaded, FirstThunk must be valid !<br> begin<br> if CalcHash(PChar(ImageBase + PImportDecriptor^.Name)) = DllHash then<br> begin<br> pThunk := PDWORD(ImageBase + PImportDecriptor^.FirstThunk);<br> while pThunk^ <> 0 do<br> begin<br> if pThunk^ = OriginAddr then<br> begin<br> VirtualProtect(pThunk, 4, $40, @TmpVar);<br> pThunk^ := NewAddr;<br> Break;<br> end;<br> inc(pThunk);<br> end;<br> end;<br> inc(PImportDecriptor);<br> end;<br>end;<br><br>procedure DoHook(OldAddr, NewAddr, NewRVA: DWORD);<br>var<br> PEB, Ldr, fLink: DWORD;<br> p: PDWORD;<br> ImageBase, ImageSize: DWORD;<br>begin<br> asm<br> mov eax, fs: [$30]<br> mov PEB, eax<br> end;<br> Ldr := PDWORD(PEB + $C)^;<br> fLink := PDWORD(Ldr + $C)^;<br> p := PDWORD(fLink);<br> repeat<br> ImageBase := PDWORD(DWORD(p) + $18)^; // Base address<br> ImageSize := PDWORD(DWORD(p) + $20)^; // Size of image<br> if ImageBase = GetModuleHandle(nil) then<br> begin<br> MainProcImageBase := ImageBase;<br> MainProcImageSize := ImageSize;<br> end;<br> if (DWORD(pOriginFunc) > ImageBase) and (DWORD(pOriginFunc) < ImageBase + ImageSize) then<br> FixExport(ImageBase, OldAddr, NewRVA - ImageBase);<br> FixImport(ImageBase, OldAddr, NewAddr);<br> p := PDWORD(p^);<br> until fLink = p^;<br>end;<br><br>procedure EntryPointProc(Reason: Integer);<br>begin<br> if Reason = DLL_PROCESS_ATTACH then<br> begin<br> DllHash := CalcHash(FuncInDll);<br> pNewFunc := @NewCreateFileW;<br>// pOriginFunc := GetProcAddress(GetModuleHandle(FuncInDll), PChar(MakelParam($3C, 0)));<br>{ GetProcAddress by ordinal. $3C is the ordinal of CreateFileW}<br> pOriginFunc := GetProcAddress(GetModuleHandle(FuncInDll), Func2Hook);<br>{ GetProcAddress by name}<br> DoHook(DWORD(pOriginFunc), DWORD(pNewFunc), $100000000 + DWORD(pNewFunc));<br> end<br> else if Reason = DLL_PROCESS_DETACH then<br> begin<br> //Reset to original state.<br> DoHook(DWORD(pNewFunc), DWORD(pOriginFunc), DWORD(pOriginFunc));<br> end;<br>end;<br><br>begin <br> DllProc := @EntryPointProc;<br> EntryPointProc(DLL_PROCESS_ATTACH);<br>end.
wideChar;<br> pRemoteointer;<br> cbSize:cardinal;<br> TempVar:Cardinal;<br>begin<br> result:=0;<br> if hProc=0 then exit;<br> EnabledDebugPrivilege(true);<br> cbSize:= length(Dll) * 2 + 21;<br> GetMem(wDllPath,cbSize);<br> StringToWideChar(Dll,wDllPath,cbSize);<br> try<br> pRemote:=VirtualAllocEx( hProc, nil, cbSize, MEM_COMMIT, PAGE_READWRITE);<br> if WriteProcessMemory(hProc,pRemote, wDllPath, cbSize, TempVar) then<br> begin<br> TempVar:=0;<br> Result := CreateRemoteThread(hProc, nil, 0,<br> GetProcAddress(GetModuleHandle('Kernel32'),<br> 'LoadLibraryW'), pRemote, 0, TempVar);<br> VirtualFreeEx(hProc, pRemote, 0, MEM_DECOMMIT or MEM_RELEASE);<br> end;<br> finally<br> FreeMem(wDllPath);<br> end;<br>end;<br><br>procedure CreateVictimProcess(Path: String);<br>begin <br> ZeroMemory(@si, sizeof(STARTUPINFO));<br> si.cb := sizeof(STARTUPINFO);<br> if not CreateProcess(PChar(Path), nil, nil, nil, False, CREATE_SUSPENDED or CREATE_DEFAULT_ERROR_MODE, nil,<br> PChar(ExtractFilePath(Path)), si, pi) then<br> begin<br> ShowMessage('CreateProcess failed! ' + syserrormessage(getlasterror));<br> exit;<br> end;<br>end;<br><br>procedure TForm1.Button1Click(Sender: TObject);<br>var<br> VictimExe: string;<br>begin<br> if RadioButton1.Checked then<br> VictimExe := 'c:/winnt/system32/cmd.exe'<br> else<br> VictimExe := 'E:/CB/fsg/fsg.exe';<br> CreateVictimProcess(VictimExe);<br> InjectDll(pi.hProcess, HookDll);<br> Sleep(20);<br> ResumeThread(pi.hThread);<br>end;<br><br>end.<br>//-----------------------------<br>library NewHook;<br><br>uses<br> {Jedi header}<br> JwaWinType,<br> JwaWinNt,<br> JwaWinUser,<br> JwaWinBase,<br> JwaWinGdi,<br> JwaWinNLS;<br><br>const<br> Func2Hook: PChar = 'CreateFileW';<br> FuncInDll: PChar = 'Kernel32.dll';<br><br>var<br> pOriginFunc: Pointer = nil;<br> pNewFunc: Pointer = nil;<br> DllHash: Cardinal = 0;<br> MainProcImageBase: Cardinal = 0;<br> MainProcImageSize: Cardinal = 0; <br><br>function NewCreateFileW(lpFileName: LPCWSTR; dwDesiredAccess, dwShareMode: DWORD;<br> lpSecurityAttributes: LPSECURITY_ATTRIBUTES; dwCreationDisposition: DWORD;<br> dwFlagsAndAttributes: DWORD; hTemplateFile: HANDLE): HANDLE; stdcall;<br>var<br> oc: function (lpFileName: LPCWSTR; dwDesiredAccess, dwShareMode: DWORD;<br> lpSecurityAttributes: LPSECURITY_ATTRIBUTES; dwCreationDisposition: DWORD;<br> dwFlagsAndAttributes: DWORD; hTemplateFile: HANDLE): HANDLE; stdcall;<br> dc:hdc;<br> Path: PChar;<br> lPath: Cardinal;<br> FileName: String;<br> RtnAddress: DWORD;<br>begin<br> asm<br> mov eax, [esp + $C] //overleap 3 "push", generated by compiler<br> mov RtnAddress, eax<br> end;<br>// if (RtnAddress >= MainProcImageBase) and (RtnAddress <= MainProcImageBase + MainProcImageSize) then<br> begin<br> {the call is from the main process }<br> dc := getdc(0);<br> textout(dc, 10, 20, PChar(Func2Hook + ' detected!'), length(Func2Hook) + 10); //show we did it!<br> releasedc(0, dc);<br> end;<br> lPath := GetCurrentDirectory(0, nil);<br> GetMem(Path, lPath);<br> ZeroMemory(Path, lPath);<br> GetCurrentDirectory(lPath, Path);<br> FileName := WideCharToString(lpFileName);<br> try<br> MessageBox(0, PChar('File path: ' + Path + FileName), 'CreateFileW Notify', MB_OK);<br> finally<br> FreeMem(Path);<br> end;<br> oc := pOriginFunc;<br> result := oc(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition,<br> dwFlagsAndAttributes, hTemplateFile);<br>end;<br><br>(*************************************************)<br>(* *)<br>(* Hook Process Start Here *)<br>(* *)<br>(*************************************************)<br><br><br>function CalcHash(pText: Pointer): Cardinal;<br>begin<br> result := 0;<br> while PByte(pText)^ <> 0 do<br> begin<br> result := ((result shl 5) or (result shr 15)) + PByte(pText)^;<br> if (PByte(pText)^ >= $61) and (PByte(pText)^ <= $7A) then //UpperCase (Makes hash case insensitive)<br> dec(result, 32);<br> inc(PByte(pText));<br> end;<br>end;<br><br>function GetSectionPtr(ImageBase: Cardinal; SectionIndex: integer): Pointer;<br>var<br> PFileHeader: PImageFileHeader;<br> POptionalHeader32: PImageOptionalHeader32;<br> PDataDirectory: PImageDataDirectory;<br>begin<br> result := nil;<br> PFileHeader := PImageFileHeader(ImageBase + DWORD(PImageDosHeader(ImageBase)^.e_lfanew) + 4);<br> POptionalHeader32 := PImageOptionalHeader32(DWORD(PFileHeader) + IMAGE_SIZEOF_FILE_HEADER);<br> PDataDirectory := PImageDataDirectory(@POptionalHeader32^.DataDirectory[0]);<br> inc(PDataDirectory, SectionIndex); <br> if PDataDirectory^.Size = 0 then<br> exit;<br> result := PImageExportDirectory(ImageBase +PDataDirectory^.VirtualAddress);<br>end;<br><br>procedure FixExport(ImageBase: Cardinal; OriginExpRVA: DWORD; NewExpRVA: DWORD);<br>var<br> PExportDirectory: PImageExportDirectory;<br> pAddr: PDWORD;<br> i, OldProtect: Cardinal;<br>begin<br> PExportDirectory := GetSectionPtr(ImageBase, IMAGE_DIRECTORY_ENTRY_EXPORT);<br> if PExportDirectory = nil then<br> exit;<br><br> pAddr := Pointer(ImageBase + PExportDirectory^.AddressOfFunctions);<br> for i := 0 to PExportDirectory^.NumberOfFunctions - 1 do<br> begin<br> if ImageBase + pAddr^ = OriginExpRVA then<br> begin<br> VirtualProtect(pAddr, SizeOf(DWORD), PAGE_READWRITE, @OldProtect);<br> pAddr^ := NewExpRVA;<br> VirtualProtect(pAddr, SizeOf(DWORD), OldProtect, @OldProtect);<br> Break;<br> end;<br> inc(pAddr);<br> end; // for i<br>end;<br><br>procedure FixImport(ImageBase: Cardinal; OriginAddr: DWORD; NewAddr: DWORD);<br>var<br> PImportDecriptor: PImageImportDecriptor;<br> TmpVar: DWORD;<br> pThunk: PDWORD;<br>begin<br> PImportDecriptor := GetSectionPtr(ImageBase, IMAGE_DIRECTORY_ENTRY_IMPORT);<br> if PImportDecriptor = nil then<br> exit;<br><br> while PImportDecriptor^.FirstThunk <> 0 do //After loaded, FirstThunk must be valid !<br> begin<br> if CalcHash(PChar(ImageBase + PImportDecriptor^.Name)) = DllHash then<br> begin<br> pThunk := PDWORD(ImageBase + PImportDecriptor^.FirstThunk);<br> while pThunk^ <> 0 do<br> begin<br> if pThunk^ = OriginAddr then<br> begin<br> VirtualProtect(pThunk, 4, $40, @TmpVar);<br> pThunk^ := NewAddr;<br> Break;<br> end;<br> inc(pThunk);<br> end;<br> end;<br> inc(PImportDecriptor);<br> end;<br>end;<br><br>procedure DoHook(OldAddr, NewAddr, NewRVA: DWORD);<br>var<br> PEB, Ldr, fLink: DWORD;<br> p: PDWORD;<br> ImageBase, ImageSize: DWORD;<br>begin<br> asm<br> mov eax, fs: [$30]<br> mov PEB, eax<br> end;<br> Ldr := PDWORD(PEB + $C)^;<br> fLink := PDWORD(Ldr + $C)^;<br> p := PDWORD(fLink);<br> repeat<br> ImageBase := PDWORD(DWORD(p) + $18)^; // Base address<br> ImageSize := PDWORD(DWORD(p) + $20)^; // Size of image<br> if ImageBase = GetModuleHandle(nil) then<br> begin<br> MainProcImageBase := ImageBase;<br> MainProcImageSize := ImageSize;<br> end;<br> if (DWORD(pOriginFunc) > ImageBase) and (DWORD(pOriginFunc) < ImageBase + ImageSize) then<br> FixExport(ImageBase, OldAddr, NewRVA - ImageBase);<br> FixImport(ImageBase, OldAddr, NewAddr);<br> p := PDWORD(p^);<br> until fLink = p^;<br>end;<br><br>procedure EntryPointProc(Reason: Integer);<br>begin<br> if Reason = DLL_PROCESS_ATTACH then<br> begin<br> DllHash := CalcHash(FuncInDll);<br> pNewFunc := @NewCreateFileW;<br>// pOriginFunc := GetProcAddress(GetModuleHandle(FuncInDll), PChar(MakelParam($3C, 0)));<br>{ GetProcAddress by ordinal. $3C is the ordinal of CreateFileW}<br> pOriginFunc := GetProcAddress(GetModuleHandle(FuncInDll), Func2Hook);<br>{ GetProcAddress by name}<br> DoHook(DWORD(pOriginFunc), DWORD(pNewFunc), $100000000 + DWORD(pNewFunc));<br> end<br> else if Reason = DLL_PROCESS_DETACH then<br> begin<br> //Reset to original state.<br> DoHook(DWORD(pNewFunc), DWORD(pOriginFunc), DWORD(pOriginFunc));<br> end;<br>end;<br><br>begin <br> DllProc := @EntryPointProc;<br> EntryPointProc(DLL_PROCESS_ATTACH);<br>end.
Y
yanghaijun
Unregistered / Unconfirmed
GUEST, unregistred user!
uses<br> {Jedi header}<br> JwaWinType,<br> JwaWinNt,<br> JwaWinUser,<br> JwaWinBase,<br> JwaWinGdi,<br> JwaWinNLS;<br><br>这些单元是什么?在哪?
T
tt.t
Unregistered / Unconfirmed
GUEST, unregistred user!
http://www.delphi-jedi.org/APILIBRARY:297648<br>ftp://delphi-jedi.org/api/win32api.zip
Y
yanghaijun
Unregistered / Unconfirmed
GUEST, unregistred user!
谢谢,好东西
T
tt.t
Unregistered / Unconfirmed
GUEST, unregistred user!
楼主哪去了,行不行到时露个面啊
F
fan2588
Unregistered / Unconfirmed
GUEST, unregistred user!
这个好象有针对性,如果我想HOOK全局,所有进程好象不行吧
T
tt.t
Unregistered / Unconfirmed
GUEST, unregistred user!
确实是有针对性,不过不要指望ring 3级的api hook能有多么好的兼容性,毕竟这是一种不规范的做法。对付普通程序还行,要是对付某些壳就会比较麻烦。
Y
yanghaijun
Unregistered / Unconfirmed
GUEST, unregistred user!
你的意思是说,还是用驱动?
Y
yanghaijun
Unregistered / Unconfirmed
GUEST, unregistred user!
正如前面所说,具有针对性,因而适应的情况不广