-
-
ApiHook,InjectDll 单元及其应用 [Delphi代码]
-
发表于:
2005-8-11 21:59
11895
-
ApiHook,InjectDll 单元及其应用 [Delphi代码]
procedure InjectDllToProcess(hProcess:DWORD;lpDllName:PCHar);
进程插入DLL~留后有用~可以将HOOK的DLL插入目标进程
默认无法在Win9x下运行请使用EliCZ的EliRT单元~
以后说说如何打造自己的~
VirtualAllocEx,VirtualFreeEx,CreateRemoteThread函数(其实<<软件加密内幕>>已经给出了思路~下次贴出来吧)这次说API hook
function HOOKAPI(lpModuleName : PChar; lpApiName : PChar; pCallbackFunc : Pointer) : dword;
挂钩函数
function UnHOOK(lpModuleName : PChar; lpApiName : PChar; pRestorePoint : Pointer; dwOldAddr : dword) : BOOL;
脱钩函数
unit APIHOOK;
{$WARNINGS OFF}
interface
uses Windows;
procedure InjectDllToProcess(hProcess:DWORD;lpDllName:PCHar);
function HOOKAPI(lpModuleName : PChar; lpApiName : PChar; pCallbackFunc : Pointer) : dword;
function UnHOOK(lpModuleName : PChar; lpApiName : PChar; pRestorePoint : Pointer; dwOldAddr : dword) : BOOL;
implementation
type
PIMAGE_IMPORT_DESCRIPTOR = ^IMAGE_IMPORT_DESCRIPTOR;
IMAGE_IMPORT_DESCRIPTOR = record
OriginalFirstThunk : DWORD;
TimeDateStamp : DWORD;
ForwarderChain : DWORD;
Name : DWORD;
FirstThunk : DWORD;
end;
type
PIMAGE_THUNK_DATA = ^IMAGE_THUNK_DATA;
IMAGE_THUNK_DATA = record
FunctionAddr : DWORD;
end;
type
PIMAGE_RESTORE = ^IMAGE_RESTORE;
IMAGE_RESTORE = record
OldAddr : DWORD;
NewAddr : DWORD;
end;
function IntToStr(Value: Integer): String;
begin
Str(Value, Result);
end;
function UnHOOK(lpModuleName : PChar; lpApiName : PChar; pRestorePoint : Pointer; dwOldAddr : dword) : BOOL;
var
dwLoaded : dword;
pProtoFill : Pointer;
dwModuleBase : dword;
pDosHdr : PImageDosHeader;
dwPeOffset : dword;
pNtHdr : PImageNtHeaders;
pImportDesc : PIMAGE_IMPORT_DESCRIPTOR;
pCode : ^Pointer;
bYesNo : Boolean;
begin
dwLoaded := LoadLibrary(lpModuleName);
pProtoFill := GetProcAddress(dwLoaded, lpApiName);
dwModuleBase := GetModuleHandle(nil);
pDosHdr := PImageDosHeader(dwModuleBase);
dwPeOffset := pDosHdr^._lfanew;
pNtHdr := Pointer(dword(pDosHdr) + dwPeOffset);
pImportDesc := Pointer(dword(pDosHdr) + pNtHdr.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
bYesNo := FALSE;
while pImportDesc^.Name <> 0 do
begin
pCode := Pointer(dword(pDosHdr) + pImportDesc^.FirstThunk);
while pCode^ <> nil do
begin
if (pCode^ = Pointer(dwOldAddr)) then
begin
pCode^ := pProtoFill;
bYesNo := TRUE;
end;
pCode := Pointer(dword(pCode) + 4);
end;
pImportDesc := Pointer(dword(pImportDesc) + 20);
end;
if (bYesNo = TRUE) then
begin
Result := TRUE;
end else
begin
Result := FALSE;
end;
end;
function HOOKAPI(lpModuleName : PChar; lpApiName : PChar; pCallbackFunc : Pointer) : dword;
var
pImportDesc: PIMAGE_IMPORT_DESCRIPTOR;
pNtHdr : PImageNtHeaders;
dwModuleBase : DWORD;
pDosHdr : PImageDosHeader;
pCode: ^Pointer;
pProtoFill : Pointer;
dwLoaded : DWORD;
dwPeOffset : DWORD;
dwOld : DWORD;
bYesNo : Boolean;
dwAdz : dword;
begin
dwLoaded := LoadLibrary(lpModuleName);
pProtoFill := GetProcAddress(dwLoaded, lpApiName);
dwModuleBase := GetModuleHandle(nil);
pDosHdr := PImageDosHeader(dwModuleBase);
dwPeOffset := pDosHdr^._lfanew;
pNtHdr := Pointer(dword(pDosHdr) + dwPeOffset);
pImportDesc := Pointer(dword(pDosHdr) + pNtHdr.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
bYesNo := FALSE;
while pImportDesc^.Name <> 0 do
begin
pCode := Pointer(dword(pDosHdr) + pImportDesc^.FirstThunk);
while pCode^ <> nil do
begin
if (pCode^ = pProtoFill) then
begin
VirtualProtect(pCode, 4, PAGE_EXECUTE_READWRITE, @dwOld);
dwAdz := dword(pCode^);
bYesNo := TRUE;
pCode^ := pCallbackFunc;
Result := dwAdz;
end;
pCode := Pointer(dword(pCode) + 4);
end;
pImportDesc := Pointer(dword(pImportDesc) + 20);
end;
if (bYesNo = FALSE) then
begin
Result := 0;
end else
begin
Result := dwAdz;
end;
end;
procedure InjectDllToProcess(hProcess:DWORD;lpDllName:PCHar);
var
dwWritten : DWORD;
dwThread : DWORD;
dwTid: DWORD;
pArg : Pointer;
begin
pArg := VirtualAllocEx(hProcess, nil, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, pArg, Pointer(lpDllName), 4096, dwWritten);
dwThread := CreateRemoteThread(hProcess, nil, 0, GetProcAddress(GetModuleHandle('KERNEL32.DLL'), 'LoadLibraryA'), pArg, 0, dwTid);
WaitForSingleObject(dwThread, INFINITE);
VirtualFreeEx(hProcess, pArg, 0, MEM_RELEASE);
CloseHandle(dwThread);
CloseHandle(hProcess);
end;
end.
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)