Api_hook 拦截 messageBox 等函数
library hookdll; uses SysUtils, Windows, Classes, unitHook in 'unitHook.pas'; {$R *.res} const HOOK_MEM_FILENAME = 'tmp.hkt'; var hhk: HHOOK; Hook: array[0..3] of TNtHookClass; //内存映射 MemFile: THandle; startPid: PDWORD; //保存PID {--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--} //拦截 MessageBoxA function NewMessageBoxA(_hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall; type TNewMessageBoxA = function (_hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall; begin lpText := PAnsiChar('已经被拦截 MessageBoxA'); Hook[0].UnHook; Result := TNewMessageBoxA(Hook[0].BaseAddr)(_hWnd, lpText, lpCaption, uType); Hook[0].Hook; end; //拦截 MessageBoxW function NewMessageBoxW(_hWnd: HWND; lpText, lpCaption: PWideChar; uType: UINT): Integer; stdcall; type TNewMessageBoxW = function (_hWnd: HWND; lpText, lpCaption: PWideChar; uType: UINT): Integer; stdcall; begin lpText := '已经被拦截 MessageBoxW'; Hook[2].UnHook; Result := TNewMessageBoxW(Hook[2].BaseAddr)(_hWnd, lpText, lpCaption, uType); Hook[2].Hook; end; //拦截 MessageBeep function NewMessageBeep(uType: UINT): BOOL; stdcall; type TNewMessageBeep = function (uType: UINT): BOOL; stdcall; begin Result := True; end; //拦截 OpenProcess , 防止关闭 function NewOpenProcess(dwDesiredAccess: DWORD; bInheritHandle: BOOL; dwProcessId: DWORD): THandle; stdcall; type TNewOpenProcess = function (dwDesiredAccess: DWORD; bInheritHandle: BOOL; dwProcessId: DWORD): THandle; stdcall; begin if startPid^ = dwProcessId then begin result := 0; Exit; end; Hook[3].UnHook; Result := TNewOpenProcess(Hook[3].BaseAddr)(dwDesiredAccess, bInheritHandle, dwProcessId); Hook[3].Hook; end; {--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--} //安装API Hook procedure InitHook; begin Hook[0] := TNtHookClass.Create('user32.dll', 'MessageBoxA', @NewMessageBoxA); Hook[1] := TNtHookClass.Create('user32.dll', 'MessageBeep', @NewMessageBeep); Hook[2] := TNtHookClass.Create('user32.dll', 'MessageBoxW', @NewMessageBoxW); Hook[3] := TNtHookClass.Create('kernel32.dll', 'OpenProcess', @NewOpenProcess); end; //删除API Hook procedure UninitHook; var I: Integer; begin for I := 0 to High(Hook) do begin if Assigned(hook[I])then //zl自己加的判断 FreeAndNil(Hook[I]); end; end; {--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--} //内存映射共享 procedure MemShared(); begin MemFile:=OpenFileMapping(FILE_MAP_ALL_ACCESS,False, HOOK_MEM_FILENAME); //打开内存映射文件 if MemFile = 0 then begin //打开失败则衉c2建内存映射文件 MemFile := CreateFileMapping($FFFFFFFF, nil, PAGE_READWRITE, 0, 4, HOOK_MEM_FILENAME); end; if MemFile <> 0 then //映射文件到变量 startPid := MapViewOfFile(MemFile,FILE_MAP_ALL_ACCESS,0,0,0); end; //传递消息 function HookProc(nCode, wParam, lParam: Integer): Integer; stdcall; begin Result := CallNextHookEx(hhk, nCode, wParam, lParam); end; //开始HOOK procedure StartHook(pid: DWORD); stdcall; begin UninitHook;//zl自己加的 startPid^ := pid; hhk := SetWindowsHookEx(WH_CALLWNDPROC, HookProc, hInstance, 0); InitHook;////zl自己加的 end; //结束HOOK procedure EndHook; stdcall; begin if hhk <> 0 then begin UnhookWindowsHookEx(hhk); UninitHook;//zl自己加的 end; end; //环境处理 procedure DllEntry(dwResaon: DWORD); begin case dwResaon of //DLL_PROCESS_ATTACH: InitHook; //DLL载入 //zl自己屏蔽的 DLL_PROCESS_DETACH: UninitHook; //DLL删除 end; end; exports StartHook, EndHook; begin MemShared; { 分配DLL程序到 DllProc 变量 } DllProc := @DllEntry; { 调用DLL加载处理 } DllEntry(DLL_PROCESS_ATTACH); end. unit unitHook; interface uses Windows, Messages, Classes, SysUtils; type //NtHook类相关类型 TNtJmpCode=packed record //8字节 MovEax:Byte; Addr:DWORD; JmpCode:Word; dwReserved:Byte; end; TNtHookClass=class(TObject) private hProcess:THandle; NewAddr:TNtJmpCode; OldAddr:array[0..7] of Byte; ReadOK:Boolean; public BaseAddr:Pointer; constructor Create(DllName,FuncName:string;NewFunc:Pointer); destructor Destroy; override; procedure Hook; procedure UnHook; end; implementation //================================================== //NtHOOK 类开始 //================================================== constructor TNtHookClass.Create(DllName: string; FuncName: string;NewFunc:Pointer); var DllModule:HMODULE; dwReserved:DWORD; begin //获取模块句柄 DllModule:=GetModuleHandle(PChar(DllName)); //如果得不到说明未被加载 if DllModule=0 then DllModule:=LoadLibrary(PChar(DllName)); //得到模块入口地址(基址) BaseAddr:=Pointer(GetProcAddress(DllModule,PChar(FuncName))); //获取当前进程句柄 hProcess:=GetCurrentProcess; //指向新地址的指针 NewAddr.MovEax:=$B8; NewAddr.Addr:=DWORD(NewFunc); NewAddr.JmpCode:=$E0FF; //保存原始地址 ReadOK:=ReadProcessMemory(hProcess,BaseAddr,@OldAddr,8,dwReserved); //开始拦截 Hook; end; //释放对象 destructor TNtHookClass.Destroy; begin UnHook; CloseHandle(hProcess); inherited; end; //开始拦截 procedure TNtHookClass.Hook; var dwReserved:DWORD; begin if (ReadOK=False) then Exit; //写入新的地址 WriteProcessMemory(hProcess,BaseAddr,@NewAddr,8,dwReserved); end; //恢复拦截 procedure TNtHookClass.UnHook; var dwReserved:DWORD; begin if (ReadOK=False) then Exit; //恢复地址 WriteProcessMemory(hProcess,BaseAddr,@OldAddr,8,dwReserved); end; end. procedure StartHook(pid: DWORD); stdcall; external 'hookdll.dll'; procedure EndHook; stdcall; external 'hookdll.dll'; implementation {$R *.dfm} procedure TfrmMain.btnHookClick(Sender: TObject); begin StartHook(GetCurrentProcessId); end; procedure TfrmMain.btnUnhookClick(Sender: TObject); begin EndHook; end; procedure TfrmMain.Button1Click(Sender: TObject); begin MessageBox(0, '呵呵健健康康', nil, 0); end;
书搞进脑袋 创新 创造; 积极
