|
|
<div class="tit"> </div>
<table style="TABLE-LAYOUT: fixed">
<tbody>
<tr>
<td>
<div id="blog_text" class="cnt">HOOK.DLL的代码: <br/>library Hook; <br/><br/>uses <br/>SysUtils, <br/>windows, <br/>Messages, <br/>APIHook in 'APIHook.pas'; <br/><br/>type <br/>PData = ^TData; <br/>TData = record <br/>Hook: THandle; <br/>Hooked: Boolean; <br/>end; <br/><br/>var <br/>DLLData: PData; <br/><br/>{------------------------------------} <br/>{过程名:HookProc <br/>{过程功能:HOOK过程 <br/>{过程参数:nCode, wParam, lParam消息的相 <br/>{ 关参数 <br/>{------------------------------------} <br/>procedure HookProc(nCode, wParam, lParam: LongWORD);stdcall; <br/>begin <br/>if not DLLData^.Hooked then <br/>begin <br/>HookAPI; <br/>DLLData^.Hooked := True; <br/>end; <br/>//调用下一个Hook <br/>CallNextHookEx(DLLData^.Hook, nCode, wParam, lParam); <br/>end; <br/><br/><br/>{------------------------------------} <br/>{函数名:InstallHook <br/>{函数功能:在指定窗口上安装HOOK <br/>{函数参数:sWindow:要安装HOOK的窗口 <br/>{返回值:成功返回TRUE,失败返回FALSE <br/>{------------------------------------} <br/>function InstallHook(SWindow: LongWORD):Boolean;stdcall; <br/>var <br/>ThreadID: LongWORD; <br/>begin <br/>Result := False; <br/>DLLData^.Hook := 0; <br/>ThreadID := GetWindowThreadProcessId(sWindow, nil); <br/>//给指定窗口挂上钩子 <br/>DLLData^.Hook := SetWindowsHookEx(WH_GETMESSAGE, @HookProc, Hinstance, ThreadID); <br/>if DLLData^.Hook > 0 then <br/>Result := True //是否成功HOOK <br/>else <br/>exit; <br/>end; <br/><br/>{------------------------------------} <br/>{过程名:UnHook <br/>{过程功能:卸载HOOK <br/>{过程参数:无 <br/>{------------------------------------} <br/>procedure UnHook;stdcall; <br/>begin <br/>UnHookAPI; <br/>//卸载Hook <br/>UnhookWindowsHookEx(DLLData^.Hook); <br/>end; <br/><br/>{------------------------------------} <br/>{过程名 LL入口函数 <br/>{过程功能:进行DLL初始化,释放等 <br/>{过程参数LL状态 <br/>{------------------------------------} <br/>procedure MyDLLHandler(Reason: Integer); <br/>var <br/>FHandle: LongWORD; <br/>begin <br/>case Reason of <br/>DLL_PROCESS_ATTACH: <br/>begin //建立文件映射,以实现DLL中的全局变量 <br/>FHandle := CreateFileMapping($FFFFFFFF, nil, PAGE_READWRITE, 0, $ffff, 'MYDLLDATA'); <br/>if FHandle = 0 then <br/>if GetLastError = ERROR_ALREADY_EXISTS then <br/>begin <br/>FHandle := OpenFileMapping(FILE_MAP_ALL_ACCESS, False, 'MYDLLDATA'); <br/>if FHandle = 0 then Exit; <br/>end else Exit; <br/>DLLData := MapViewOfFile(FHandle, FILE_MAP_ALL_ACCESS, 0, 0, 0); <br/>if DLLData = nil then <br/>CloseHandle(FHandle); <br/>end; <br/>DLL_PROCESS_DETACH: <br/>begin <br/>if Assigned(DLLData) then <br/>begin <br/>UnmapViewOfFile(DLLData); <br/>DLLData := nil; <br/>end; <br/>end; <br/>end; <br/>end; <br/><br/>{$R *.res} <br/>exports <br/>InstallHook, UnHook, HookProc; <br/><br/>begin <br/>DLLProc := @MyDLLHandler; <br/>MyDLLhandler(DLL_PROCESS_ATTACH); <br/>DLLData^.Hooked := False; <br/>end. <br/><br/>---------------------------------------------------------------------------------------- <br/>APIHook.Pas的代码: <br/><br/>unit APIHook; <br/><br/>interface <br/><br/>uses <br/>SysUtils, <br/>Windows, WinSock; <br/><br/>type <br/>//要HOOK的API函数定义 <br/>TSockProc = function (s: TSocket; var Buf; len, flags: Integer): Integer; stdcall; <br/><br/>PJmpCode = ^TJmpCode; <br/>TJmpCode = packed record <br/>JmpCode: BYTE; <br/>Address: TSockProc; <br/>MovEAX: Array [0..2] of BYTE; <br/>end; <br/><br/>//--------------------函数声明--------------------------- <br/>procedure HookAPI; <br/>procedure UnHookAPI; <br/><br/>var <br/>OldSend, OldRecv: TSockProc; //原来的API地址 <br/>JmpCode: TJmpCode; <br/>OldProc: array [0..1] of TJmpCode; <br/>AddSend, AddRecv: pointer; //API地址 <br/>TmpJmp: TJmpCode; <br/>ProcessHandle: THandle; <br/>implementation <br/><br/>{---------------------------------------} <br/>{函数功能:Send函数的HOOK <br/>{函数参数:同Send <br/>{函数返回值:integer <br/>{---------------------------------------} <br/>function MySend(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall; <br/>var <br/>dwSize: cardinal; <br/>begin <br/>//这儿进行发送的数据处理 <br/>MessageBeep(1000); //简单的响一声 <br/>//调用直正的Send函数 <br/>WriteProcessMemory(ProcessHandle, AddSend, @OldProc[0], 8, dwSize); <br/>Result := OldSend(S, Buf, len, flags); <br/>JmpCode.Address := @MySend; <br/>WriteProcessMemory(ProcessHandle, AddSend, @JmpCode, 8, dwSize); <br/>end; <br/><br/>{---------------------------------------} <br/>{函数功能:Recv函数的HOOK <br/>{函数参数:同Recv <br/>{函数返回值:integer <br/>{---------------------------------------} <br/>function MyRecv(s: TSocket; var Buf; len, flags: Integer): Integer; stdcall; <br/>var <br/>dwSize: cardinal; <br/>begin <br/>//这儿进行接收的数据处理 <br/>MessageBeep(1000); //简单的响一声 <br/>//调用直正的Recv函数 <br/>WriteProcessMemory(ProcessHandle, AddRecv, @OldProc[1], 8, dwSize); <br/>Result := OldRecv(S, Buf, len, flags); <br/>JmpCode.Address := @MyRecv; <br/>WriteProcessMemory(ProcessHandle, AddRecv, @JmpCode, 8, dwSize); <br/>end; <br/><br/>{------------------------------------} <br/>{过程功能:HookAPI <br/>{过程参数:无 <br/>{------------------------------------} <br/>procedure HookAPI; <br/>var <br/>DLLModule: THandle; <br/>dwSize: cardinal; <br/>begin <br/>ProcessHandle := GetCurrentProcess; <br/>DLLModule := LoadLibrary('ws2_32.dll'); <br/>AddSend := GetProcAddress(DLLModule, 'send'); //取得API地址 <br/>AddRecv := GetProcAddress(DLLModule, 'recv'); <br/>JmpCode.JmpCode := $B8; <br/>JmpCode.MovEAX[0] := $FF; <br/>JmpCode.MovEAX[1] := $E0; <br/>JmpCode.MovEAX[2] := 0; <br/>ReadProcessMemory(ProcessHandle, AddSend, @OldProc[0], 8, dwSize); <br/>JmpCode.Address := @MySend; <br/>WriteProcessMemory(ProcessHandle, AddSend, @JmpCode, 8, dwSize); //修改Send入口 <br/>ReadProcessMemory(ProcessHandle, AddRecv, @OldProc[1], 8, dwSize); <br/>JmpCode.Address := @MyRecv; <br/>WriteProcessMemory(ProcessHandle, AddRecv, @JmpCode, 8, dwSize); //修改Recv入口 <br/>OldSend := AddSend; <br/>OldRecv := AddRecv; <br/>end; <br/><br/>{------------------------------------} <br/>{过程功能:取消HOOKAPI <br/>{过程参数:无 <br/>{------------------------------------} <br/>procedure UnHookAPI; <br/>var <br/>dwSize: Cardinal; <br/>begin <br/>WriteProcessMemory(ProcessHandle, AddSend, @OldProc[0], 8, dwSize); <br/>WriteProcessMemory(ProcessHandle, AddRecv, @OldProc[1], 8, dwSize); <br/>end; <br/><br/>end. <br/><br/>--------------------------------------------------------------------------------------------- <br/>编译这个DLL后,再新建一个程序调用这个DLL的InstallHook并传入目标进程的主窗口句柄就可: <br/>unit fmMain; <br/><br/>interface <br/><br/>uses <br/>Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, <br/>Dialogs, StdCtrls; <br/><br/>type <br/>TForm1 = class(TForm) <br/>Button1: TButton; <br/>Button2: TButton; <br/>Edit1: TEdit; <br/>procedure Button1Click(Sender: TObject); <br/>procedure Button2Click(Sender: TObject); <br/>private <br/>{ Private declarations } <br/>public <br/>{ Public declarations } <br/>end; <br/><br/>var <br/>Form1: TForm1; <br/>InstallHook: function (SWindow: THandle):Boolean;stdcall; <br/>UnHook: procedure;stdcall; <br/>implementation <br/><br/>{$R *.dfm} <br/><br/>procedure TForm1.Button1Click(Sender: TObject); <br/>var <br/>ModuleHandle: THandle; <br/>TmpWndHandle: THandle; <br/>begin <br/>TmpWndHandle := 0; <br/>TmpWndHandle := FindWindow(nil, '目标窗口的标题'); <br/>if not isWindow(TmpWndHandle) then <br/>begin <br/>MessageBox(self.Handle, '没有找到窗口', '!!!', MB_OK); <br/>exit; <br/>end; <br/>ModuleHandle := LoadLibrary('Hook.dll'); <br/>@InstallHook := GetProcAddress(ModuleHandle, 'InstallHook'); <br/>@UnHook := GetProcAddress(ModuleHandle, 'UnHook'); <br/>if InstallHook(FindWindow(nil, 'Untitled')) then <br/>ShowMessage('Hook OK'); <br/>end; <br/><br/>procedure TForm1.Button2Click(Sender: TObject); <br/>begin <br/>UnHook <br/>end; <br/><br/>end.</div></td></tr></tbody></table> |
|
发表于 2009-3-7 12:17:15