library hookdll; uses SysUtils, Windows, Classes, unitHook in 'unitHook.pas'; {$R *.res} const HOOK_MEM_FILENAME = 'tmp.hkt'; var hhk: HHOOK; Hook: array[0..3] of TNtHookClass; //内存映射 MemFile: THandle; startPid: PDWORD; //保存PID {--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--} //拦截 MessageBoxA function NewMessageBoxA(_hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall; type TNewMessageBoxA = function (_hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT): Integer; stdcall; begin lpText := PAnsiChar('已经被拦截 MessageBoxA'); Hook[0].UnHook; Result := TNewMessageBoxA(Hook[0].BaseAddr)(_hWnd, lpText, lpCaption, uType); Hook[0].Hook; end; //拦截 MessageBoxW function NewMessageBoxW(_hWnd: HWND; lpText, lpCaption: PWideChar; uType: UINT): Integer; stdcall; type TNewMessageBoxW = function (_hWnd: HWND; lpText, lpCaption: PWideChar; uType: UINT): Integer; stdcall; begin lpText := '已经被拦截 MessageBoxW'; Hook[2].UnHook; Result := TNewMessageBoxW(Hook[2].BaseAddr)(_hWnd, lpText, lpCaption, uType); Hook[2].Hook; end; //拦截 MessageBeep function NewMessageBeep(uType: UINT): BOOL; stdcall; type TNewMessageBeep = function (uType: UINT): BOOL; stdcall; begin Result := True; end; //拦截 OpenProcess , 防止关闭 function NewOpenProcess(dwDesiredAccess: DWORD; bInheritHandle: BOOL; dwProcessId: DWORD): THandle; stdcall; type TNewOpenProcess = function (dwDesiredAccess: DWORD; bInheritHandle: BOOL; dwProcessId: DWORD): THandle; stdcall; begin if startPid^ = dwProcessId then begin result := 0; Exit; end; Hook[3].UnHook; Result := TNewOpenProcess(Hook[3].BaseAddr)(dwDesiredAccess, bInheritHandle, dwProcessId); Hook[3].Hook; end; {--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--} //安装API Hook procedure InitHook; begin Hook[0] := TNtHookClass.Create('user32.dll', 'MessageBoxA', @NewMessageBoxA); Hook[1] := TNtHookClass.Create('user32.dll', 'MessageBeep', @NewMessageBeep); Hook[2] := TNtHookClass.Create('user32.dll', 'MessageBoxW', @NewMessageBoxW); Hook[3] := TNtHookClass.Create('kernel32.dll', 'OpenProcess', @NewOpenProcess); End ; // delete Hook the API Procedure UninitHook; var the I: Integer; the begin for the I: = 0 to High (Hook) do the begin IF the Assigned (Hook [the I]) the then // ZL add their own judgment FreeAndNil (Hook [the I]); End ; End ; { - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - } // memory map shared Procedure MemShared (); the begin memfile: =OpenFileMapping (FILE_MAP_ALL_ACCESS, False, HOOK_MEM_FILENAME); // open memory-mapped file IF memfile = 0 the then the begin // open fails Kai c2 built memory-mapped file memfile: = the CreateFileMapping ($ FFFFFFFF, nil , PAGE_READWRITE, 0 , 4 , HOOK_MEM_FILENAME) ; End ; IF memfile <> 0 the then // map the file into the variable startPid: = the MapViewOfFile (memfile, FILE_MAP_ALL_ACCESS, 0 , 0 , 0 ); End ; // pass the message functionHookProc (nCode, the wParam, the lParam: Integer): Integer; _stdcall ; the begin the Result: = the CallNextHookEx (HHK, nCode, the wParam, the lParam); End ; // start HOOK Procedure StartHook (PID: DWORD); _stdcall ; the begin UninitHook; / / ZL added their own startPid ^: = pid; HHK: = the SetWindowsHookEx (WH_CALLWNDPROC, HookProc, hInstance, 0 ); InitHook; // // ZL added their own end ; // end HOOK Procedure EndHook; stdcall ; the begin IF HHK <> 0 the then the begin the UnhookWindowsHookEx (HHK); UninitHook; // ZL plus their End ; End ; // environmental disposal Procedure the DllEntry (dwResaon: DWORD); the begin Case dwResaon of // the DLL_PROCESS_ATTACH: InitHook; // carrying the DLL // zl into their shielding DLL_PROCESS_DETACH: UninitHook; // DLL delete End ; End ; Exports StartHook, EndHook; the begin MemShared; { allocated to the DLL DLLProc variable } DLLProc: =@DllEntry; { call processing load DLL } the DllEntry (the DLL_PROCESS_ATTACH); End . Unit unitHook; interface uses the Windows, the Messages, the Classes, the SysUtils; type // NtHook or related types TNtJmpCode = packed The Record // . 8 bytes MovEax: Byte; Addr : DWORD; JmpCode: Word; The dwReserved: Byte; End ; TNtHookClass = class (TObject) Private the hProcess: THandle; NewAddr: TNtJmpCode; OldAddr: Array [ 0 ..7] of Byte; ReadOK:Boolean; public BaseAddr:Pointer; constructor Create(DllName,FuncName:string;NewFunc:Pointer); destructor Destroy; override; procedure Hook; procedure UnHook; end; implementation //================================================== //NtHOOK 类开始 //================================================== constructor TNtHookClass.Create(DllName: string; FuncName: String ; newfunc: the Pointer); var DllModule: the HMODULE; The dwReserved: DWORD; the begin // obtaining module handle DllModule: = the GetModuleHandle (the PChar (DllName)); // if not unloaded DESCRIPTION IF DllModule = 0 the then DllModule: = the LoadLibrary (the PChar (DllName)); // get the module entry address (base address) BaseAddr: = the Pointer (the GetProcAddress (DllModule, the PChar (FuncName))); // get the current process handle the hProcess: = GetCurrentProcess; // point to the new pointer address NewAddr.MovEax: = $ B8; NewAddr.Addr: = DWORD (newfunc); NewAddr.JmpCode:= $ E0FF; // save the original address ReadOK: = ReadProcessMemory (hProcess, BaseAddr, @ OldAddr, 8 , dwReserved); // start blocking Hook; End ; // release the object destructor TNtHookClass. The Destroy ; the begin unhook; the CloseHandle (hProcess) ; Inherited ; End ; // start blocking Procedure TNtHookClass.Hook; var dwReserved: DWORD; the begin IF (ReadOK = False) the then Exit; // write the new address WriteProcessMemory (hProcess, BaseAddr, @ NewAddr ,8,dwReserved); end; //恢复拦截 procedure TNtHookClass.UnHook; var dwReserved:DWORD; begin if (ReadOK=False) then Exit; //恢复地址 WriteProcessMemory(hProcess,BaseAddr,@OldAddr,8,dwReserved); end; end. procedure StartHook(pid: DWORD); stdcall; external 'hookdll.dll'; procedure EndHook; stdcall; external 'hookdll.dll'; implementation {$R *.dfm} procedure TfrmMain.btnHookClick(Sender: TObject); begin StartHook(GetCurrentProcessId); end; procedure TfrmMain.btnUnhookClick(Sender: TObject); begin EndHook; end; procedure TfrmMain.Button1Click(Sender: TObject); begin MessageBox(0, '呵呵健健康康', nil, 0); end;
Api_hook interception messageBox other functions
Guess you like
Origin www.cnblogs.com/tobetterlife/p/12170248.html
Recommended
Ranking