进程防杀Delphi版(DLL部分)

本文整理自网络，侵删。

 自己程序中的一段代码，进程防杀。根据网上面流传的进程防杀的C++代码改编。 

DLL部分： 
PIMAGE_IMPORT_DESCRIPTOR = ^_IMAGE_IMPORT_DESCRIPTOR; 
PImageImportDescriptor = PIMAGE_IMPORT_DESCRIPTOR; 
_IMAGE_IMPORT_DESCRIPTOR = packed record 
CharacteristicsOrOriginalFirstThunk: DWord; 
TimeDateStamp: DWord; 
ForwarderChain: DWord; 
Name: DWord; 
FirstThunk: DWord; 
end; 
PIMAGE_THUNK_DATA = ^_IMAGE_THUNK_DATA; 
PImageThunkData = PIMAGE_THUNK_DATA; 
_IMAGE_THUNK_DATA = packed record 
Case Integer of 
0 : (ForwarderString: DWord); 
1 : (Function_: DWord); 
2 : (Ordinal: DWord); 
3 : (AddressOfData: DWord); 
end; 

var 

OriginalOpenProcess : function (dwDesiredAccess: DWORD; bInheritHandle: BOOL; 
dwProcessId: DWORD): THandle; stdcall; 

function HookAPIFunction(hFromModule: HMODULE;pszFunctionModule: PAnsiChar; 
pszFunctionName: PAnsiChar;pfnNewProc: Pointer): Pointer; 
var 
pfnOriginalProc: Pointer; 
pDosHeader: PImageDosHeader; 
pNTHeader: PImageNtHeaders; 
pImportDesc: PImageImportDescriptor; 
pThunk: PImageThunkData; 
dwProtectionFlags,dwScratch: DWORD; 
pszModName: PAnsiChar; 
begin 
Result := nil; 
pfnOriginalProc := GetProcAddress(GetModuleHandle(pszFunctionModule), 
pszFunctionName); 
pDosHeader := PImageDosHeader(hFromModule); 
pNTHeader := PImageNTHeaders(DWORD(pDosHeader)+DWORD(pDosHeader^._lfanew)); 
pImportDesc := PImageImportDescriptor(DWORD(pDosHeader)+ 
DWORD(pNTHeader^.OptionalHeader. 
DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]. 
VirtualAddress)); 
while pImportDesc^.Name <> 0 do 
begin 
pszModName := PAnsiChar(Pointer(DWORD(pDosHeader) + DWORD(pImportDesc^.Name))); 
if LowerCase(pszModName) = LowerCase(pszFunctionModule) then Break; 
Inc(pImportDesc); 
end; 
if pImportDesc^.Name = 0 then Exit; 
pThunk := PImageThunkData(DWORD(pDosHeader) + DWORD(pImportDesc^.FirstThunk)); 
while pThunk^.Function_ <> 0 do 
begin 
if (pThunk^.Function_ = DWORD(pfnOriginalProc)) then 
begin 
dwProtectionFlags := PAGE_READWRITE; 
VirtualProtect(@pThunk^.Function_,4096,dwProtectionFlags,@dwScratch); 
pThunk^.Function_ := DWORD(pfnNewProc); 
Result := pfnOriginalProc ; 
Break; 
end; 
Inc(pThunk); 
end; 
end; 

function OpenProcessHandler(dwDesiredAccess: DWORD; bInheritHandle: BOOL; 
dwProcessId: DWORD): THandle; stdcall; 
begin 
Result := OriginalOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId); 
if (dwProcessID = PID) and (PID <> 0) then Result := 0; 
end; 

//防杀的进程ID，从注册表中获得 
procedure GetHookProcessID; 
var 
TempKey: HKEY; 
DataType,Size: Integer; 
begin 
PID := 0; 
Size := Sizeof(Integer); 
if RegOpenKeyEx(HKEY_LOCAL_MACHINE,’Software\Vssoft’, 0,KEY_READ, 
TempKey) = ERROR_SUCCESS then 
begin 
RegQueryValueEx(TempKey,’ProcessID’,nil,@DataType,PByte(@PID),@Size); 
RegCloseKey(TempKey); 
end; 
end; 

function HookOpenProcess(nCode: Integer;wParam: WPARAM;lParam: LPARAM): LRESULT;stdcall; 
begin 
GetHookProcessID; 
if not Assigned(OriginalOpenProcess) then 
OriginalOpenProcess := HookAPIFunction(GetModuleHandle(nil), 
’KERNEL32.DLL’,’OpenProcess’,@OpenProcessHandler); 
Result := 0; 
end; 

exports 
HookOpenProcess; 

相关阅读 >>

winapi 字符及字符串函数(7): ischarlower - 是否是个小写字母

Delphi 获取系统的硬盘分区及使用信息

Delphi paramstr 获取外部参数

Delphi application.title在win7下失效了？

Delphi 根据关键字取关键词以后的字符串

Delphi sccoloredid，星际争霸彩色 id 修改器 v0.2.0，支持 windows vista

Delphi firedac连接mysql的时候报错

Delphi 根据快捷方式路径取源文件地址

检测是否按下键盘或鼠标，如果超过5分钟没有操作则认为用户已经离开

Delphi 安卓图像压缩bitmapcompress

更多相关阅读请进入《Delphi》频道 >>

转载请注明出处：木庄网络博客 » 进程防杀Delphi版(DLL部分)