K
kiss2
Unregistered / Unconfirmed
GUEST, unregistred user!
现在需要复制一个API函数到内存,然后调用他,绕过原来的API函数?<br>有没有这样的例子?<br>比如说将MessageBox这个API函数在内存中复制出来,新的API入口,然后怎样调用这个复制出来的API? 跟API HOOK有点类似,就是不知道怎么做?
C
ctaxp
Unregistered / Unconfirmed
GUEST, unregistred user!
看来我帮不上你的忙,只能帮你顶一下
S
smokingroom
Unregistered / Unconfirmed
GUEST, unregistred user!
type<br> TCode5=packed record<br> siJmp:Byte;<br> dwAddr
WORD;<br> end;<br><br> TThunkCode=packed record<br> codeBak:TCode5;<br> codeThunk:TCode5;<br> addr_Sys
ointer;<br> addr_Thunkointer;<br> end;<br><br>type<br> TMessageBoxA=function(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;<br><br>var<br> ThunkCode:TThunkCode;<br> hProcess:THandle;<br><br>function MyMessageBoxA(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;<br>var<br> dwByetsWriteWORD;<br>begin<br> ShowMessage('testing...');<br> WriteProcessMemory(hProcess,<br> ThunkCode.addr_Sys,<br> @ThunkCode.codeBak,<br> 5,<br> dwByetsWrite);<br> TMessageBoxA(ThunkCode.addr_Sys)(hwnd,lpText,lpCaption,uType);<br> WriteProcessMemory(hProcess,<br> ThunkCode.addr_Sys,<br> @ThunkCode.codeThunk,<br> 5,<br> dwByetsWrite);<br>end;<br><br>procedure TForm1.Button1Click(Sender: TObject);<br>const<br> szDllName='user32.dll';<br> szProcName='MessageBoxA';<br>var<br> hMod:HMODULE;<br> P:TMessageBoxA;<br> dwBytesReadWORD;<br>begin<br> hMod:=GetModuleHandle(szDllName);<br> ThunkCode.addr_Sys:=Pointer(GetProcAddress(hMod,szProcName));<br> ThunkCode.addr_Thunk:=@MyMessageBoxA;<br> ThunkCode.codeThunk.siJmp:=Byte($E9);<br> ThunkCode.codeThunk.dwAddr:=DWORD(ThunkCode.addr_Thunk)-DWORD(ThunkCode.addr_Sys)-5;<br> ThunkCode.codeBak.siJmp:=PByte(ThunkCode.addr_Sys)^;<br> ThunkCode.codeBak.dwAddr:=PDWORD(DWORD(ThunkCode.addr_Sys)+1)^;<br> hProcess:=GetCurrentProcess;<br> WriteProcessMemory(hProcess,<br> ThunkCode.addr_Sys,<br> @ThunkCode.codeThunk,<br> 5,<br> dwBytesRead);<br>end;<br><br>procedure TForm1.Button2Click(Sender: TObject);<br>begin<br> MyMessageBoxA(0,nil,nil,0);<br>end;
WORD;<br> end;<br><br> TThunkCode=packed record<br> codeBak:TCode5;<br> codeThunk:TCode5;<br> addr_Sysointer;<br> addr_Thunkointer;<br> end;<br><br>type<br> TMessageBoxA=function(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;<br><br>var<br> ThunkCode:TThunkCode;<br> hProcess:THandle;<br><br>function MyMessageBoxA(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;<br>var<br> dwByetsWriteWORD;<br>begin<br> ShowMessage('testing...');<br> WriteProcessMemory(hProcess,<br> ThunkCode.addr_Sys,<br> @ThunkCode.codeBak,<br> 5,<br> dwByetsWrite);<br> TMessageBoxA(ThunkCode.addr_Sys)(hwnd,lpText,lpCaption,uType);<br> WriteProcessMemory(hProcess,<br> ThunkCode.addr_Sys,<br> @ThunkCode.codeThunk,<br> 5,<br> dwByetsWrite);<br>end;<br><br>procedure TForm1.Button1Click(Sender: TObject);<br>const<br> szDllName='user32.dll';<br> szProcName='MessageBoxA';<br>var<br> hMod:HMODULE;<br> P:TMessageBoxA;<br> dwBytesReadWORD;<br>begin<br> hMod:=GetModuleHandle(szDllName);<br> ThunkCode.addr_Sys:=Pointer(GetProcAddress(hMod,szProcName));<br> ThunkCode.addr_Thunk:=@MyMessageBoxA;<br> ThunkCode.codeThunk.siJmp:=Byte($E9);<br> ThunkCode.codeThunk.dwAddr:=DWORD(ThunkCode.addr_Thunk)-DWORD(ThunkCode.addr_Sys)-5;<br> ThunkCode.codeBak.siJmp:=PByte(ThunkCode.addr_Sys)^;<br> ThunkCode.codeBak.dwAddr:=PDWORD(DWORD(ThunkCode.addr_Sys)+1)^;<br> hProcess:=GetCurrentProcess;<br> WriteProcessMemory(hProcess,<br> ThunkCode.addr_Sys,<br> @ThunkCode.codeThunk,<br> 5,<br> dwBytesRead);<br>end;<br><br>procedure TForm1.Button2Click(Sender: TObject);<br>begin<br> MyMessageBoxA(0,nil,nil,0);<br>end;
K
kiss2
Unregistered / Unconfirmed
GUEST, unregistred user!
to smokingroom: 这个方法不行,不能改变原来api内容。<br>我的意思是把api完整的复制一份到内存,然后在调用。
C
cdj000
Unregistered / Unconfirmed
GUEST, unregistred user!
学习……
W
Writer
Unregistered / Unconfirmed
GUEST, unregistred user!
原理上可以实现,不过涉及到汇编的重定位的问题,很麻烦!特别是你要随机将一个API复制出来,而又要它能正常运行的话。
K
kiss2
Unregistered / Unconfirmed
GUEST, unregistred user!
不是随机,是指定的API
Similar threads
- truelove
- Windows API
- yifeibbs
- Windows API