-
-
[求助]Delphi 下使用advapihook HOOK API 会被DEP拦截是什么原因?
-
发表于:
2009-2-9 15:25
4866
-
[求助]Delphi 下使用advapihook HOOK API 会被DEP拦截是什么原因?
想写个DLL Hook FindNextFile 在电脑上隐藏点资料。嘿嘿
DLL的内容:
library HookFindNextFile;
uses
Windows,StrUtils,advApiHook;
var
FindNextFileANext : function (handle: dword; var data: TWin32FindDataA) : bool; stdcall;
FindNextFileWNext : function (handle: dword; var data: TWin32FindDataW) : bool; stdcall;
function FindNextFileACallback(handle: dword; var data: TWin32FindDataA) : bool; stdcall;
begin
。。。。
end;
function FindNextFileWCallback(handle: dword; var data: TWin32FindDataW) : bool; stdcall;
begin
.....
end;
begin
HookProc('kernel32.dll', 'FindNextFileA', @FindNextFileACallback, @FindNextFileANext);
Hookproc('kernel32.dll', 'FindNextFileW', @FindNextFileWCallback, @FindNextFileWNext);
end.
这个advapihook 是在网上流传的看雪好像也有不少人在用。内容部份为:
{
Advanced API Hook Libary.
Coded By Ms-Rem ( Ms-Rem@yandex.ru ) ICQ 286370715
}
unit advApiHook;
............................
......................
function HookCode(TargetProc, NewProc: pointer; var OldProc: pointer): boolean;
var
Address: dword;
OldProtect: dword;
OldFunction: pointer;
Proc: pointer;
begin
Result := False;
try
Proc := TargetProc;
//âû÷èñëÿåì àäðåñ îòíîñèòåëüíîãî (jmp near) ïåðåõîäà íà íîâóþ ôóíêöèþ
Address := dword(NewProc) - dword(Proc) - 5;
VirtualProtect(Proc, 5, PAGE_EXECUTE_READWRITE, OldProtect);
//ñîçäàåì áóôôåð äëÿ true ôóíêöèè
GetMem(OldFunction, 255);
//êîïèðóåì ïåðâûå 4 áàéòà ôóíêöèè
dword(OldFunction^) := dword(Proc);
byte(pointer(dword(OldFunction) + 4)^) := SaveOldFunction(Proc, pointer(dword(OldFunction) + 5));
//byte(pointer(dword(OldFunction) + 4)^) - äëèíà ñîõðàíåííîãî ó÷àñòêà
byte(Proc^) := $e9; //óñòàíàâëèâàåì ïåðåõîä
dword(pointer(dword(Proc) + 1)^) := Address;
VirtualProtect(Proc, 5, OldProtect, OldProtect);
OldProc := pointer(dword(OldFunction) + 5);
except
Exit;
end;
Result := True;
end;
{
Óñòàíîâêà ïåðåõâàòà ôóíêöèè èç Dll â òåêóùåì ïðîöåññå.
lpModuleName - èìÿ ìîäóëÿ,
lpProcName - èìÿ ôóíêöèè,
NewProc - àäðåñ ôóíêöèè çàìåíû,
OldProc - çäåñü áóäåò ñîõðàíåí àäðåñ ìîñòà ê ñòàðîé ôóíêöèè.
 ñëó÷àå îòñóòñòâèÿ ìîäóëÿ â òåêóùåì ÀÏ, áóäåò ñäåëàíà ïîïûòêà åãî çàãðóçèòü.
}
function HookProc(lpModuleName, lpProcName: PChar;
NewProc: pointer; var OldProc: pointer): boolean;
var
hModule: dword;
fnAdr: pointer;
begin
Result := false;
hModule := GetModuleHandle(lpModuleName);
if hModule = 0 then hModule := LoadLibrary(lpModuleName);
if hModule = 0 then Exit;
fnAdr := GetProcAddress(hModule, lpProcName);
if fnAdr = nil then Exit;
Result := HookCode(fnAdr, NewProc, OldProc);
end;
但是一但DLL注入就会被XP的DEP拦截。造成目标程序(explorer)非法.
但是另一个控件madcodehook 却不会。。不过Madcodehook 没有源码。所以不知道他是怎么HOOK的。
[课程]Linux pwn 探索篇!
