本文整理自网络,侵删。
unit Unit1;
interface
uses Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics, Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls;
type TForm1 = class(TForm) Button1: TButton; Button2: TButton; procedure Button1Click(Sender: TObject); procedure Button2Click(Sender: TObject); private { Private declarations } public { Public declarations } end;
var Form1: TForm1; KerFunProc:pointer; read: array[0..4] of Byte;implementation
{$R *.dfm}
procedure TForm1.Button1Click(Sender: TObject);begin MessageBoxA(0, pansichar('hello world'), 0, 0);end;
function msgbox(hWnd: HWND; lpText, lpCaption: pansichar; uType: UINT): Integer; stdcall;var I: Integer; //循环次数变量,每次都要写入1个字节,还原API头 reads: byte; //取出我们保存的5个字节,然后循环写入 retn: size_t;begin for I := 1 to 5 do begin reads := read[I - 1]; //因为数组下标从0开始,I是从1开始,则用I-1 WriteProcessMemory(GetCurrentProcess(), Pointer(cardinal(KerFunProc) + I - 1), Pointer(@reads), 1, retn); end; result:=MessageBoxA(hwnd,'被我HOOK住了!',lpCaption,utype);end;
procedure HookMsg();var
retn: size_t; jmp:byte; lengths:cardinal;
begin //取到API的地址 KerFunProc := GetProcAddress(LoadLibrary(pchar('user32.dll')), pchar('MessageBoxA')); //读前5个字节 ReadProcessMemory(GetCurrentProcess(), Pointer(KerFunProc), Pointer(@read), 5, retn); jmp:=$E9; lengths := cardinal(@msgbox)-cardinal(KerFunProc)-5; WriteProcessMemory(GetCurrentProcess(), Pointer(KerFunProc), Pointer(@jmp), 1, retn); WriteProcessMemory(GetCurrentProcess(), Pointer(cardinal(KerFunProc)+1), pointer(@lengths), 4, retn);
end;
procedure TForm1.Button2Click(Sender: TObject);begin HookMsg();end;
end. 相关阅读 >>
Delphi fdconnection执行sql execsql
Delphi xe(indy10)tidbytes转ansistring的实现
更多相关阅读请进入《Delphi》频道 >>
