©2010-2026 宁波自信网络信息技术有限公司 版权所有
客服电话:0574-28810668 投诉电话:18658249818
浙ICP备2021020529号-1 | 浙B2-20240490
关注我们 :
1、unit HookAPIUnit1; interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls; type TForm1 = class(TForm) Button1: TButton; Button2: TButton; ListBox1: TListBox; Label1: TLabel; Button3: TButton; Button4
2、 TButton; Button5: TButton; procedure Button1Click(Sender: TObject); procedure Button2Click(Sender: TObject); procedure FormCreate(Sender: TObject); procedure Button3Click(Sender: TObject); procedure Button4Click(Sender: TObject); procedure Button5Click(Sender: TO
3、bject); private { Private declarations } public { Public declarations } end; var Form1: TForm1; function MyMessageBox(hWnd: HWND; lpText, lpCaption: PAnsiChar; uType: UINT):Integer; stdcall; procedure EnableDebugPriviledge(); /////// EnableDebugPriviledge();函数在实验成功后已
4、显多余,当时纯粹是考虑了可能出现的权限不足的情况 implementation var oldAddressEntry:array[1..5]of Byte; newAddressEntry:array[1..5]of Byte=($E9,$00,$00,$00,$00); ///////////修改前5字节JMP RelativeAddress:DWord; padressOfMessageBoxA:Pointer; oldPageAttrib:cardinal; pByte:^Byte; NumberOfBytesBeenRead,NumberOfB
5、ytesWriten:DWord; procedure ChangePageAttribToReadWrite(pBaseAddress:Pointer); begin if VirtualProtect(pBaseAddress,8,PAGE_READWRITE,oldPageAttrib)=false then begin showMessage('failed to ChangePageAttribToReadWrite'); end; end; function MyMessageBox(hWnd: HWND; lpText, lpCa
6、ption: PAnsiChar; uType: UINT):Integer; stdcall; begin Form1.ListBox1.Items.Add('Hooked MessageBox Function!!'); if lpCaption='Notifation' then ////实验证明,如果Hook成功,MessageBox的所有参数都会传递给这个自定义的拦截函数。在这里可以判断比较传递来的参数,再决定如果进行下面的操作。 begin Form1.ListBox1.Items.Add('param of the Messa
7、geBox Function was replaced!!'); end; end; procedure EnableDebugPriviledge(); var hToken:Thandle; returnLength:Cardinal; Lid:int64; NewTokenPriviledge,OldTokenPriviledge:_TOKEN_PRIVILEGES; begin if OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,hToken)=false then begin
8、 showMessage('failed to OpenProcessToken!'); end; if LookupPrivilegeValue(nil,'SeDebugPrivilege',Lid)=false then begin showMessage('failed to LookupPrivilegeValue!'); end; NewTokenPriviledge.PrivilegeCount:=1; NewTokenPriviledge.Privileges[0].Luid:=Lid; NewTokenPriviledge.
9、Privileges[0].Attributes:=SE_PRIVILEGE_ENABLED; if AdjustTokenPrivileges(hToken,false,NewTokenPriviledge,sizeof(_TOKEN_PRIVILEGES),OldTokenPriviledge,returnLength)=false then begin showMessage('failed to AdjustTokenPrivileges!'); end; end; {$R *.dfm} procedure TForm1.Button1Cl
10、ick(Sender: TObject); begin MessageBox(form1.Handle,'Using MessageBox Function','Notifation',MB_OK); end; procedure TForm1.Button2Click(Sender: TObject); var dllHandle:THandle; i:integer; begin EnableDebugPriviledge(); if OpenProcess(PROCESS_ALL_ACCESS ,true,getCurrentProcessID())=NULL t
11、hen begin ListBox1.Items.Add('failed to OpenProcess!'); end; ///////经实验,进程内Hook,以上EnableDebugPriviledge与OpenProcess函数可以去掉。 如果出现因权限不够引起的错误,可调用OpenProcess 获得PROCESS_VM_OPERATION或PROCESS_VM_WRITE权限,或者调用VirtualProtect函数修改虚拟内存空间的读写属性。 dllHandle:=loadLibrary('user32.dll'); if dllHandle=0 then beg
12、in ListBox1.Items.Add('failed to loadLibrary!'); end else ListBox1.Items.Add('succeeded to loadLibrary!'+' '+'user32.dll Module handle value is '+inttostr(cardinal(dllHandle))); padressOfMessageBoxA:=GetProcAddress(dllHandle,Pchar('MessageBoxA')); if padressOfMessageBoxA=nil then begi
13、n ListBox1.Items.Add('failed to GetProcAddress!'); end else ListBox1.Items.Add('succeeded to GetProcAddress!'' '+'MessageBoxA adress is'+inttostr(cardinal(padressOfMessageBoxA))); if ReadProcessMemory(getCurrentProcess(),padressOfMessageBoxA,@oldAddressEntry,5,NumberOfBytesBeenRead)
14、false then begin ListBox1.Items.Add('failed to ReadProcessMemory!'); end else ListBox1.Items.Add('succeeded to ReadProcessMemory!'); ////以上显示错误与成功信息有利于排除调用API函数后可能出现的错误 RelativeAddress:=DWord(@MyMessageBox)-DWord(padressOfMessageBoxA)-5; ////上条语句为偏移地址的计算 pByte:=@RelativeAddre
15、ss; ////请特别注意:JMP XXXXX 的地址是一个相对地址!!!! for i := 2 to 5 do begin newAddressEntry[i]:=pByte^; inc(pByte) ; end; if WriteProcessMemory(getCurrentProcess(),padressOfMessageBoxA,@newAddressEntry,5,NumberOfBytesWriten)=false then begin ListBox1.Items.Add('failed to WriteProcessMemory!'+
16、' '+'Error Code'+' '+inttostr(getLastError())); end else ListBox1.Items.Add('succeeded to WriteProcessMemory!'); end; procedure TForm1.FormCreate(Sender: TObject); begin Label1.Width:=300; end; procedure TForm1.Button5Click(Sender: TObject); begin WriteProcessMe
17、mory(getCurrentProcess(),padressOfMessageBoxA,@oldAddressEntry,5,NumberOfBytesWriten); end; end. 执行后的实际情况如上图所示。 本进程内的HOOk成功之后,进程外的hook也变得相对容易,所以进程外HookAPI不再赘述 经实验,如果要拦截CreateProcess函数,需要拦截CreateProcessW,而不是CreateProcessA 进程注入explorer进程出错的问题因为自定义拦截函数如MyCreateProcessW的参数不能与原函数严格匹配造成的,在delphi里要使参数尽量匹配才会少出错。
©2010-2026 宁波自信网络信息技术有限公司 版权所有
客服电话:0574-28810668 投诉电话:18658249818
浙ICP备2021020529号-1 | 浙B2-20240490
关注我们 :
