首页
论坛
专栏
课程

ApiHook,InjectDll 单元及其应用 [Delphi代码]

2005-8-11 21:59 8692

ApiHook,InjectDll 单元及其应用 [Delphi代码]

2005-8-11 21:59
8692
procedure InjectDllToProcess(hProcess:DWORD;lpDllName:PCHar);
进程插入DLL~留后有用~可以将HOOK的DLL插入目标进程
默认无法在Win9x下运行请使用EliCZ的EliRT单元~
以后说说如何打造自己的~
VirtualAllocEx,VirtualFreeEx,CreateRemoteThread函数(其实<<软件加密内幕>>已经给出了思路~下次贴出来吧)这次说API hook

function HOOKAPI(lpModuleName : PChar; lpApiName : PChar; pCallbackFunc : Pointer) : dword;

挂钩函数

function UnHOOK(lpModuleName : PChar; lpApiName : PChar; pRestorePoint : Pointer; dwOldAddr : dword) : BOOL;

脱钩函数

unit APIHOOK;
{$WARNINGS OFF}
interface

uses Windows;

procedure InjectDllToProcess(hProcess:DWORD;lpDllName:PCHar);
function HOOKAPI(lpModuleName : PChar; lpApiName : PChar; pCallbackFunc : Pointer) : dword;
function UnHOOK(lpModuleName : PChar; lpApiName : PChar; pRestorePoint : Pointer; dwOldAddr : dword) : BOOL;
implementation

type
  PIMAGE_IMPORT_DESCRIPTOR = ^IMAGE_IMPORT_DESCRIPTOR;
  IMAGE_IMPORT_DESCRIPTOR = record
  OriginalFirstThunk : DWORD;
  TimeDateStamp : DWORD;
  ForwarderChain : DWORD;
  Name : DWORD;
  FirstThunk : DWORD;
end;

type
  PIMAGE_THUNK_DATA = ^IMAGE_THUNK_DATA;
  IMAGE_THUNK_DATA = record
  FunctionAddr : DWORD;
end;

type
  PIMAGE_RESTORE = ^IMAGE_RESTORE;
  IMAGE_RESTORE = record
  OldAddr : DWORD;
  NewAddr : DWORD;
end;

function IntToStr(Value: Integer): String;
begin
  Str(Value, Result);
end;


function UnHOOK(lpModuleName : PChar; lpApiName : PChar; pRestorePoint : Pointer; dwOldAddr : dword) : BOOL;
var
  dwLoaded : dword;
  pProtoFill : Pointer;
  dwModuleBase : dword;
  pDosHdr : PImageDosHeader;
  dwPeOffset : dword;
  pNtHdr : PImageNtHeaders;
  pImportDesc : PIMAGE_IMPORT_DESCRIPTOR;
  pCode : ^Pointer;
  bYesNo : Boolean;
begin
  dwLoaded := LoadLibrary(lpModuleName);
  pProtoFill := GetProcAddress(dwLoaded, lpApiName);
  dwModuleBase := GetModuleHandle(nil);
  pDosHdr := PImageDosHeader(dwModuleBase);
  dwPeOffset := pDosHdr^._lfanew;
  pNtHdr := Pointer(dword(pDosHdr) + dwPeOffset);
  pImportDesc := Pointer(dword(pDosHdr) + pNtHdr.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
  bYesNo := FALSE;
  while pImportDesc^.Name <> 0 do
  begin
    pCode := Pointer(dword(pDosHdr) + pImportDesc^.FirstThunk);
    while pCode^ <> nil do
    begin
      if (pCode^ = Pointer(dwOldAddr)) then
      begin
        pCode^ := pProtoFill;
        bYesNo := TRUE;
      end;
      pCode := Pointer(dword(pCode) + 4);
    end;
    pImportDesc := Pointer(dword(pImportDesc) + 20);
  end;
  if (bYesNo = TRUE) then
  begin
    Result := TRUE;
  end else
  begin
    Result := FALSE;
  end;
end;

function HOOKAPI(lpModuleName : PChar; lpApiName : PChar; pCallbackFunc : Pointer) : dword;
var
  pImportDesc: PIMAGE_IMPORT_DESCRIPTOR;
  pNtHdr : PImageNtHeaders;
  dwModuleBase : DWORD;
  pDosHdr : PImageDosHeader;
  pCode: ^Pointer;
  pProtoFill : Pointer;
  dwLoaded : DWORD;
  dwPeOffset : DWORD;
  dwOld : DWORD;
  bYesNo : Boolean;
  dwAdz : dword;
begin
  dwLoaded := LoadLibrary(lpModuleName);
  pProtoFill := GetProcAddress(dwLoaded, lpApiName);
  dwModuleBase := GetModuleHandle(nil);
  pDosHdr := PImageDosHeader(dwModuleBase);
  dwPeOffset := pDosHdr^._lfanew;
  pNtHdr := Pointer(dword(pDosHdr) + dwPeOffset);
  pImportDesc := Pointer(dword(pDosHdr) + pNtHdr.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
  bYesNo := FALSE;
  while pImportDesc^.Name <> 0 do
  begin
    pCode := Pointer(dword(pDosHdr) + pImportDesc^.FirstThunk);
    while pCode^ <> nil do
    begin
      if (pCode^ = pProtoFill) then
      begin
       VirtualProtect(pCode, 4, PAGE_EXECUTE_READWRITE, @dwOld);
       dwAdz := dword(pCode^);
       bYesNo := TRUE;
       pCode^ := pCallbackFunc;
       Result := dwAdz;
      end;
      pCode := Pointer(dword(pCode) + 4);
    end;
    pImportDesc := Pointer(dword(pImportDesc) + 20);
  end;
  if (bYesNo = FALSE) then
  begin
    Result := 0;
  end else
  begin
    Result := dwAdz;
  end;
end;

procedure InjectDllToProcess(hProcess:DWORD;lpDllName:PCHar);
var
  dwWritten : DWORD;
  dwThread : DWORD;
  dwTid: DWORD;
  pArg : Pointer;
begin
  pArg := VirtualAllocEx(hProcess, nil, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  WriteProcessMemory(hProcess, pArg, Pointer(lpDllName), 4096, dwWritten);
  dwThread := CreateRemoteThread(hProcess, nil, 0, GetProcAddress(GetModuleHandle('KERNEL32.DLL'), 'LoadLibraryA'), pArg, 0, dwTid);
  WaitForSingleObject(dwThread, INFINITE);
  VirtualFreeEx(hProcess, pArg, 0, MEM_RELEASE);
  CloseHandle(dwThread);
  CloseHandle(hProcess);
end;

end.


实例:
program test;

uses
  Windows,
  APIHOOK;


function MessageBoxCallback(hWnd: HWND; lpText, lpCaption: PChar; uType: UINT): Integer; stdcall;
begin
MessageBoxW(0, '挂钩成功!改变说明', '', MB_OK);//之所以用MessageBoxW主要是因为~MessageBoxA被挂钩会死讯环的
{这个地方可以直接返回回调函数
先声明函数
MessageBoxANextHook: function(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;

然后在MessageBoxCallback过程中直接返回数据
Result := MessageBoxANextHook(hWnd, '嘿嘿~XXX', '我钩!',uType);

}
end;

var
  dwRestore : dword;
  bTrue : Boolean;
  dwAddrOfOldFunc : dword;
begin
MessageBox(0, '开始挂钩', '', MB_OK);

dwRestore := APIhook('user32.dll', 'MessageBoxA', @MessageBoxCallback);//开始挂钩

if (dwRestore = 0) then
begin
MessageBox(0, '挂钩失败', '', MB_OK);
end;

bTrue := Unhook('user32.dll', 'MessageBoxA', Pointer(dwRestore), dword(@MessageBoxCallback));//脱钩

end.


全金属狂潮3 Tv 5发布了~看完睡觉~。。。。。。。。。。。。

[公告][征集寄语] 看雪20周年年会(12.28上海) | 感恩有你,一路同行

最新回复 (1)
hacknet 2009-7-22 22:43
2
0
XP sp3下测试不好使啊。请高手指点啊。
游客
登录 | 注册 方可回帖
返回