APIHook CreateProcess

[delphi] view plaincopyprint?
  1. unit ApiHook;
  2. interface
  3. uses
  4. Windows, Messages, Dialogs, Controls, Classes, SysUtils, psapi;
  5. type
  6. PImpCode = ^TImpCode;
  7. TImpCode = packed record
  8. JumpItn: Word; // 应该是$25FF,JUMP 指令
  9. AddressFun: PPointer; // 真正的开始地址
  10. end;
  11. TLongJmp = packed record
  12. JmpCode: ShortInt; {指令,用$E9来代替系统的指令}
  13. FuncAddr: DWORD; {函数地址}
  14. end;
  15. THookClass = Class
  16. private
  17. hProcess: Cardinal;
  18. AlreadyHook: boolean;
  19. Oldcode: array[0..4] of byte; {系统函数原来的前5个字节}
  20. Newcode: TLongJmp; {将要写在系统函数的前5个字节}
  21. public
  22. OldFunction, NewFunction: Pointer;
  23. Constructor Create(OldFun, NewFun: Pointer);
  24. Constructor Destore;
  25. procedure Restore;
  26. procedure Change;
  27. end;
  28. procedure API_Hookup;
  29. procedure Un_API_Hook;
  30. implementation
  31. type
  32. TCreateProcess = function(lpApplicationName: PWideChar; lpCommandLine: PWideChar;
  33. lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
  34. bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer;
  35. lpCurrentDirectory: PChar; const lpStartupInfo: TStartupInfo;
  36. var lpProcessInformation: TProcessInformation): BOOL; stdcall;
  37. var
  38. xHookClass: THookClass;
  39. function TrueFunctionAddress(func: Pointer): Pointer;
  40. var
  41. Code: PImpCode;
  42. begin
  43. Result := func;
  44. if func = nil then exit;
  45. try
  46. Code := func;
  47. if (Code.JumpItn = $25FF) then begin
  48. Result := Code.AddressFun^;
  49. end;
  50. except
  51. Result := nil;
  52. end;
  53. end;
  54. function MyCreateProcess(lpApplicationName: PWideChar; lpCommandLine: PWideChar;
  55. lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
  56. bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer;
  57. lpCurrentDirectory: PChar; const lpStartupInfo: TStartupInfo;
  58. var lpProcessInformation: TProcessInformation): BOOL; stdcall;
  59. var
  60. s: String;
  61. begin
  62. xHookClass.Restore;
  63. Result := FALSE;
  64. s := lpApplicationName+'---'+lpCommandLine;
  65. if MessageDlg('已截获'+s+',是否允许运行?', mtConfirmation, [mbYes, mbNo], 0) <> mrYes then begin
  66. xHookClass.Change;
  67. exit;
  68. end;
  69. Result := TCreateProcess(xHookClass.OldFunction)(lpApplicationName, lpCommandLine, lpProcessAttributes,
  70. lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment,
  71. lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
  72. xHookClass.Change;
  73. end;
  74. procedure API_Hookup;
  75. begin
  76. xHookClass := THookClass.Create(@CreateProcessW, @MyCreateProcess);
  77. end;
  78. procedure Un_API_Hook;
  79. begin
  80. xHookClass.Destroy;
  81. end;
  82. { THookClass }
  83. procedure THookClass.Change;
  84. var
  85. nCount: DWORD;
  86. begin
  87. if (AlreadyHook) or (hProcess = 0) or (OldFunction = nil) or (NewFunction = nil) then
  88. exit;
  89. AlreadyHook := true; {表示已经HOOK}
  90. WriteProcessMemory(hProcess, OldFunction, @(Newcode), 5, nCount);
  91. end;
  92. constructor THookClass.Create(OldFun, NewFun: Pointer);
  93. var
  94. Pid: DWORD;
  95. begin
  96. OldFunction := TrueFunctionAddress(OldFun);
  97. NewFunction := TrueFunctionAddress(NewFun);
  98. Pid := GetCurrentProcessID;
  99. hProcess := OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid);
  100. Newcode.JmpCode := ShortInt($E9);
  101. Newcode.FuncAddr := DWORD(NewFunction) - DWORD(OldFunction) - 5;
  102. Move(OldFunction^, Oldcode, 5);
  103. AlreadyHook := FALSE;
  104. Change;
  105. end;
  106. constructor THookClass.Destore;
  107. begin
  108. Restore;
  109. CloseHandle(hProcess);
  110. end;
  111. procedure THookClass.Restore;
  112. var
  113. nCount: DWORD;
  114. begin
  115. if (not AlreadyHook) or (hProcess = 0) or (OldFunction = nil) or (NewFunction = nil) then
  116. exit;
  117. WriteProcessMemory(hProcess, OldFunction, @(Oldcode), 5, nCount);
  118. AlreadyHook := FALSE; {表示退出HOOK}
  119. end;
  120. initialization
  121. finalization
  122. Un_API_Hook;
  123. end.
[delphi] view plaincopyprint?
  1. unit ApiHook;
  2. interface
  3. uses
  4. Windows, Messages, Dialogs, Controls, Classes, SysUtils, psapi;
  5. type
  6. PImpCode = ^TImpCode;
  7. TImpCode = packed record
  8. JumpItn: Word; // 应该是$25FF,JUMP 指令
  9. AddressFun: PPointer; // 真正的开始地址
  10. end;
  11. TLongJmp = packed record
  12. JmpCode: ShortInt; {指令,用$E9来代替系统的指令}
  13. FuncAddr: DWORD; {函数地址}
  14. end;
  15. THookClass = Class
  16. private
  17. hProcess: Cardinal;
  18. AlreadyHook: boolean;
  19. Oldcode: array[0..4] of byte; {系统函数原来的前5个字节}
  20. Newcode: TLongJmp; {将要写在系统函数的前5个字节}
  21. public
  22. OldFunction, NewFunction: Pointer;
  23. Constructor Create(OldFun, NewFun: Pointer);
  24. Constructor Destore;
  25. procedure Restore;
  26. procedure Change;
  27. end;
  28. procedure API_Hookup;
  29. procedure Un_API_Hook;
  30. implementation
  31. type
  32. TCreateProcess = function(lpApplicationName: PWideChar; lpCommandLine: PWideChar;
  33. lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
  34. bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer;
  35. lpCurrentDirectory: PChar; const lpStartupInfo: TStartupInfo;
  36. var lpProcessInformation: TProcessInformation): BOOL; stdcall;
  37. var
  38. xHookClass: THookClass;
  39. function TrueFunctionAddress(func: Pointer): Pointer;
  40. var
  41. Code: PImpCode;
  42. begin
  43. Result := func;
  44. if func = nil then exit;
  45. try
  46. Code := func;
  47. if (Code.JumpItn = $25FF) then begin
  48. Result := Code.AddressFun^;
  49. end;
  50. except
  51. Result := nil;
  52. end;
  53. end;
  54. function MyCreateProcess(lpApplicationName: PWideChar; lpCommandLine: PWideChar;
  55. lpProcessAttributes, lpThreadAttributes: PSecurityAttributes;
  56. bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer;
  57. lpCurrentDirectory: PChar; const lpStartupInfo: TStartupInfo;
  58. var lpProcessInformation: TProcessInformation): BOOL; stdcall;
  59. var
  60. s: String;
  61. begin
  62. xHookClass.Restore;
  63. Result := FALSE;
  64. s := lpApplicationName+'---'+lpCommandLine;
  65. if MessageDlg('已截获'+s+',是否允许运行?', mtConfirmation, [mbYes, mbNo], 0) <> mrYes then begin
  66. xHookClass.Change;
  67. exit;
  68. end;
  69. Result := TCreateProcess(xHookClass.OldFunction)(lpApplicationName, lpCommandLine, lpProcessAttributes,
  70. lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment,
  71. lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
  72. xHookClass.Change;
  73. end;
  74. procedure API_Hookup;
  75. begin
  76. xHookClass := THookClass.Create(@CreateProcessW, @MyCreateProcess);
  77. end;
  78. procedure Un_API_Hook;
  79. begin
  80. xHookClass.Destroy;
  81. end;
  82. { THookClass }
  83. procedure THookClass.Change;
  84. var
  85. nCount: DWORD;
  86. begin
  87. if (AlreadyHook) or (hProcess = 0) or (OldFunction = nil) or (NewFunction = nil) then
  88. exit;
  89. AlreadyHook := true; {表示已经HOOK}
  90. WriteProcessMemory(hProcess, OldFunction, @(Newcode), 5, nCount);
  91. end;
  92. constructor THookClass.Create(OldFun, NewFun: Pointer);
  93. var
  94. Pid: DWORD;
  95. begin
  96. OldFunction := TrueFunctionAddress(OldFun);
  97. NewFunction := TrueFunctionAddress(NewFun);
  98. Pid := GetCurrentProcessID;
  99. hProcess := OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid);
  100. Newcode.JmpCode := ShortInt($E9);
  101. Newcode.FuncAddr := DWORD(NewFunction) - DWORD(OldFunction) - 5;
  102. Move(OldFunction^, Oldcode, 5);
  103. AlreadyHook := FALSE;
  104. Change;
  105. end;
  106. constructor THookClass.Destore;
  107. begin
  108. Restore;
  109. CloseHandle(hProcess);
  110. end;
  111. procedure THookClass.Restore;
  112. var
  113. nCount: DWORD;
  114. begin
  115. if (not AlreadyHook) or (hProcess = 0) or (OldFunction = nil) or (NewFunction = nil) then
  116. exit;
  117. WriteProcessMemory(hProcess, OldFunction, @(Oldcode), 5, nCount);
  118. AlreadyHook := FALSE; {表示退出HOOK}
  119. end;
  120. initialization
  121. finalization
  122. Un_API_Hook;
  123. end.
(0)

相关推荐