Api_hook interception messageBox other functions

Others 2020-01-09 11:30:55 views: null 
library hookdll;

uses
  SysUtils,
  Windows,
  Classes,
  unitHook in 'unitHook.pas';

{$R *.res}

const
  HOOK_MEM_FILENAME  =  'tmp.hkt';

var
  hhk: HHOOK;
  Hook: array[0..3] of TNtHookClass;

//内存映射
  MemFile: THandle;
  startPid: PDWORD;   //保存PID

{--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--}

//拦截 MessageBoxA
function NewMessageBoxA(_hWnd: HWND; lpText,
 lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;
type
  TNewMessageBoxA = function (_hWnd: HWND; lpText, 
lpCaption: PAnsiChar; uType: UINT): Integer; stdcall;
begin
  lpText := PAnsiChar('已经被拦截 MessageBoxA');
  Hook[0].UnHook;
Result := TNewMessageBoxA(Hook[0].BaseAddr)(_hWnd, lpText, lpCaption, uType);
  Hook[0].Hook;
end;

//拦截 MessageBoxW
function NewMessageBoxW(_hWnd: HWND; lpText, 
lpCaption: PWideChar; uType: UINT): Integer; stdcall;
type
  TNewMessageBoxW = function (_hWnd: HWND; lpText, 
lpCaption: PWideChar; uType: UINT): Integer; stdcall;
begin
  lpText := '已经被拦截 MessageBoxW';
  Hook[2].UnHook;
Result := TNewMessageBoxW(Hook[2].BaseAddr)(_hWnd, lpText, lpCaption, uType);
  Hook[2].Hook;
end;

//拦截 MessageBeep
function NewMessageBeep(uType: UINT): BOOL; stdcall;
type
  TNewMessageBeep = function (uType: UINT): BOOL; stdcall;
begin
Result := True;
end;

//拦截 OpenProcess , 防止关闭
function NewOpenProcess(dwDesiredAccess: DWORD;
 bInheritHandle: BOOL; dwProcessId: DWORD): THandle; stdcall;
type
  TNewOpenProcess = function (dwDesiredAccess: DWORD; 
bInheritHandle: BOOL; dwProcessId: DWORD): THandle; stdcall;
begin
  if startPid^ = dwProcessId  then
  begin
    result := 0;
    Exit;
  end;
    Hook[3].UnHook;
    Result := TNewOpenProcess(Hook[3].BaseAddr)(dwDesiredAccess, bInheritHandle, dwProcessId);
    Hook[3].Hook;
end;

{--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--}

//安装API Hook
procedure InitHook;
begin
  Hook[0] := TNtHookClass.Create('user32.dll', 'MessageBoxA', @NewMessageBoxA);
  Hook[1] := TNtHookClass.Create('user32.dll', 'MessageBeep', @NewMessageBeep);
  Hook[2] := TNtHookClass.Create('user32.dll', 'MessageBoxW', @NewMessageBoxW);
  Hook[3] := TNtHookClass.Create('kernel32.dll', 'OpenProcess', @NewOpenProcess);
 End ; 

// delete Hook the API 
Procedure UninitHook;
 var 
  the I: Integer; 
the begin 
  for the I: = 0  to High (Hook) do 
  the begin 
    IF the Assigned (Hook [the I]) the then   // ZL add their own judgment 
      FreeAndNil (Hook [the I]);
   End ;
 End ; 

{ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - } 

// memory map shared 
Procedure MemShared ();
 the begin 
  memfile: =OpenFileMapping (FILE_MAP_ALL_ACCESS, False, HOOK_MEM_FILENAME); 
 // open memory-mapped file 
IF memfile = 0  the then 
the begin   // open fails Kai c2 built memory-mapped file 
    memfile: = the CreateFileMapping ($ FFFFFFFF, nil , PAGE_READWRITE, 0 ,
                               4 , HOOK_MEM_FILENAME) ;
 End ;
 IF memfile <> 0  the then 
// map the file into the variable 
    startPid: = the MapViewOfFile (memfile, FILE_MAP_ALL_ACCESS, 0 , 0 , 0 );
 End ; 

// pass the message 
functionHookProc (nCode, the wParam, the lParam: Integer): Integer; _stdcall ;
 the begin 
the Result: = the CallNextHookEx (HHK, nCode, the wParam, the lParam);
 End ; 

// start HOOK 
Procedure StartHook (PID: DWORD); _stdcall ;
 the begin 
  UninitHook; / / ZL added their own 

  startPid ^: = pid; 
  HHK: = the SetWindowsHookEx (WH_CALLWNDPROC, HookProc, hInstance, 0 ); 

  InitHook; // // ZL added their own 
end ; 

// end HOOK 
Procedure EndHook; stdcall ;
 the begin
  IF HHK <> 0  the then 
  the begin 
    the UnhookWindowsHookEx (HHK); 
    UninitHook; // ZL plus their 
  End ;
 End ; 

// environmental disposal 
Procedure the DllEntry (dwResaon: DWORD);
 the begin 
Case dwResaon of 
    // the DLL_PROCESS_ATTACH: InitHook; // carrying the DLL // zl into their shielding 
    DLL_PROCESS_DETACH: UninitHook; // DLL delete 
End ;
 End ; 

Exports 
  StartHook, EndHook; 

the begin 
  MemShared; 

{ allocated to the DLL DLLProc variable } 
  DLLProc: =@DllEntry;
 { call processing load DLL } 
  the DllEntry (the DLL_PROCESS_ATTACH); 
End . 




Unit unitHook; 

interface 

uses 
  the Windows, the Messages, the Classes, the SysUtils; 

type 

// NtHook or related types 
  TNtJmpCode = packed The  Record   // . 8 bytes 
    MovEax: Byte; 
    Addr : DWORD; 
    JmpCode: Word; 
    The dwReserved: Byte; 
End ; 

  TNtHookClass = class (TObject)
   Private 
      the hProcess: THandle; 
      NewAddr: TNtJmpCode; 
      OldAddr: Array [ 0 ..7] of Byte;
      ReadOK:Boolean;
  public
      BaseAddr:Pointer;
  constructor Create(DllName,FuncName:string;NewFunc:Pointer);
  destructor Destroy; override;
  procedure Hook;
  procedure UnHook;
end;

implementation

//==================================================
//NtHOOK 类开始
//==================================================
constructor TNtHookClass.Create(DllName: string; FuncName: String ; newfunc: the Pointer);
 var 
  DllModule: the HMODULE; 
  The dwReserved: DWORD; 
the begin 
// obtaining module handle 
  DllModule: = the GetModuleHandle (the PChar (DllName));
 // if not unloaded DESCRIPTION 
IF DllModule = 0  the then DllModule: = the LoadLibrary (the PChar (DllName));
 // get the module entry address (base address) 
  BaseAddr: = the Pointer (the GetProcAddress (DllModule, the PChar (FuncName)));
 // get the current process handle 
  the hProcess: = GetCurrentProcess;
 // point to the new pointer address 
  NewAddr.MovEax: = $ B8; 
  NewAddr.Addr: = DWORD (newfunc); 
  NewAddr.JmpCode:= $ E0FF;
 // save the original address 
  ReadOK: = ReadProcessMemory (hProcess, BaseAddr, @ OldAddr, 8 , dwReserved);
 // start blocking 
  Hook;
 End ; 

// release the object 
destructor TNtHookClass. The Destroy ;
 the begin 
  unhook; 
the CloseHandle (hProcess) ; 

Inherited ;
 End ; 

// start blocking 
Procedure TNtHookClass.Hook;
 var 
  dwReserved: DWORD; 
the begin 
IF (ReadOK = False) the then Exit;
 // write the new address 
WriteProcessMemory (hProcess, BaseAddr, @ NewAddr ,8,dwReserved);
end;

//恢复拦截
procedure TNtHookClass.UnHook;
var
  dwReserved:DWORD;
begin
if (ReadOK=False) then Exit;
//恢复地址
WriteProcessMemory(hProcess,BaseAddr,@OldAddr,8,dwReserved);
end;

end.





procedure StartHook(pid: DWORD); stdcall; external 'hookdll.dll';
procedure EndHook; stdcall; external 'hookdll.dll';

implementation

{$R *.dfm}

procedure TfrmMain.btnHookClick(Sender: TObject);
begin
  StartHook(GetCurrentProcessId);
end;

procedure TfrmMain.btnUnhookClick(Sender: TObject);
begin
  EndHook;
end;

procedure TfrmMain.Button1Click(Sender: TObject);
begin
  MessageBox(0, '呵呵健健康康', nil, 0);
end;

Guess you like

Origin www.cnblogs.com/tobetterlife/p/12170248.html
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com