10-17-2011، 09:19 PM
با یونیت های زیر میتونید openprocess و terminal process و .. هوک کنید.
کد:
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls;
type
TForm1 = class(TForm)
Button1: TButton;
Button2: TButton;
procedure Button1Click(Sender: TObject);
procedure Button2Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
procedure StartHook(pid: DWORD); stdcall; external 'hookdll.dll';
procedure EndHook; stdcall; external 'hookdll.dll';
implementation
{$R *.dfm}
procedure TForm1.Button1Click(Sender: TObject);
begin
StartHook(GetCurrentProcessId);
end;
procedure TForm1.Button2Click(Sender: TObject);
begin
EndHook;
end;
end.
کد:
library Hookdll;
uses
SysUtils,
Classes,
Windows,Dialogs,
unitHook in 'unitHook.pas';
const
HOOK_MEM_FILENAME = 'tmp.hkt';
var
hhk: HHOOK;
Hook: array[0..2] of TNtHookClass;
MemFile: THandle;
startPid: PDWORD;
fhProcess: THandle;
function NewOpenProcess(dwDesiredAccess: DWORD; bInheritHandle: BOOL; dwProcessId: DWORD): THandle; stdcall;
type
TNewOpenProcess = function (dwDesiredAccess: DWORD; bInheritHandle: BOOL; dwProcessId: DWORD): THandle; stdcall;
begin
if startPid^ = dwProcessId then begin
Hook[1].UnHook;
Result := TNewOpenProcess(Hook[1].BaseAddr)(dwDesiredAccess, bInheritHandle, dwProcessId);
fhProcess:=Result;
Hook[1].Hook;
exit;
end;
Hook[1].UnHook;
Result := TNewOpenProcess(Hook[1].BaseAddr)(dwDesiredAccess, bInheritHandle, dwProcessId);
Hook[1].Hook;
end;
function NewTerminateProcess(hProcess: THandle;uExitCode: UINT): BOOL; Stdcall;
type
TNewTerminateProcess = function (hProcess: THandle;uExitCode: UINT): BOOL; Stdcall;
begin
if fhProcess = hProcess then begin
showmessage('HAHA PWNED I am not allowed to close!');
result := true;
exit;
end;
Hook[2].UnHook;
Result := TNewTerminateProcess(Hook[2].BaseAddr)(hProcess, uExitCode );
Hook[2].Hook;
end;
procedure InitHook; //Initialize Hook
begin
Hook[1] := TNtHookClass.Create('kernel32.dll', 'OpenProcess', @NewOpenProcess);
hook[2] := TNtHookClass.Create('kernel32.dll', 'TerminateProcess', @NewTerminateProcess);
end;
procedure UninitHook; //Un-Initialize Hook
var
I: Integer;
begin
for I := 0 to High(Hook) do
begin
FreeAndNil(Hook[I]);
end;
end;
procedure MemShared();
begin
MemFile:=OpenFileMapping(FILE_MAP_ALL_ACCESS,False, HOOK_MEM_FILENAME); //Open the memory mapped File
if MemFile = 0 then begin
MemFile := CreateFileMapping($FFFFFFFF, nil, PAGE_READWRITE, 0,
4, HOOK_MEM_FILENAME);
end;
if MemFile <> 0 then
//Map File to variables
startPid := MapViewOfFile(MemFile,FILE_MAP_ALL_ACCESS,0,0,0);
end;
//Transfer
function HookProc(nCode, wParam, lParam: Integer): Integer; stdcall;
begin
Result := CallNextHookEx(hhk, nCode, wParam, lParam);
end;
//Start HOOK
procedure StartHook(pid: DWORD); stdcall;
begin
startPid^ := pid;
hhk := SetWindowsHookEx(WH_CALLWNDPROC, HookProc, hInstance, 0);
end;
//End HOOK
procedure EndHook; stdcall;
begin
if hhk <> 0 then
UnhookWindowsHookEx(hhk);
end;
procedure DllEntry(dwResaon: DWORD);
begin
case dwResaon of
DLL_PROCESS_ATTACH: InitHook;
DLL_PROCESS_DETACH: UninitHook;
end;
end;
exports
StartHook, EndHook;
begin
MemShared;
{Distribution of DLL programs to DllProc variable}
DllProc: = @ DllEntry;
{Call the DLL load processing}
DllEntry (DLL_PROCESS_ATTACH);
end.
کد:
--------------------------- unitHook.pas
unit unitHook;
interface
uses
Windows, Messages, Classes, SysUtils;
type
//NtHook class related types
TNtJmpCode=packed record //8 Bytes
MovEax:Byte;
Addr:DWORD;
JmpCode:Word;
dwReserved:Byte;
end;
TNtHookClass=class(TObject)
private
hProcess:THandle;
NewAddr:TNtJmpCode;
OldAddr:array[0..7] of Byte;
ReadOK:Boolean;
public
BaseAddr:Pointer;
constructor Create(DllName,FuncName:string;NewFunc:Pointer);
destructor Destroy; override;
procedure Hook;
procedure UnHook;
end;
کد:
//==================================================
//NtHOOK Class Start
//==================================================
constructor TNtHookClass.Create(DllName: string; FuncName: string;NewFunc:Pointer);
var
DllModule:HMODULE;
dwReserved:DWORD;
begin
//Get Module Handle
DllModule:=GetModuleHandle(PChar(DllName));
//If DllModule is not loaded use LoadLibrary
if DllModule=0 then DllModule:=LoadLibrary(PChar(DllName));
//Get module entry address (base address)
BaseAddr:=Pointer(GetProcAddress(DllModule,PChar(FuncName)));
//Get the current process handle
hProcess:=GetCurrentProcess;
//Pointer to point to the new address
NewAddr.MovEax:=$B8;
NewAddr.Addr:=DWORD(NewFunc);
NewAddr.JmpCode:=$E0FF;
//Save the original address
ReadOK:=ReadProcessMemory(hProcess,BaseAddr,@OldAddr,8,dwReserved);
//Starting block
Hook;
end;
//Release object
destructor TNtHookClass.Destroy;
begin
UnHook;
CloseHandle(hProcess);
inherited;
end;
//Starting block
procedure TNtHookClass.Hook;
var
dwReserved:DWORD;
begin
if (ReadOK=False) then Exit;
//Write a new address
WriteProcessMemory(hProcess,BaseAddr,@NewAddr,8,dwReserved);
end;
//Recovery block
procedure TNtHookClass.UnHook;
var
dwReserved:DWORD;
begin
if (ReadOK=False) then Exit;
//Recovery Address
WriteProcessMemory(hProcess,BaseAddr,@OldAddr,8,dwReserved);
end;
end.