unit Unit1; interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls; type TForm1 = class(TForm) Button1: TButton; Memo1: TMemo; Button2: TButton; Button3: TButton; procedure Button1Click(Sender: TObject); procedure Button2Click(Sender: TObject); procedure Button3Click(Sender: TObject); procedure FormDestroy(Sender: TObject); procedure FormCreate(Sender: TObject); private { Private declarations } procedure ShowMsg(s: string); public { Public declarations } end; var Form1: TForm1; implementation {$R *.dfm} uses MLDE32Unit; const DesPath = 'C:Program FilesBorlandDelphi6ProjectsAdv APIHOOKTestvt.exe'; Func2Hook = 'FreeLibrary'; var //must be a globle variable PtrReal: Pointer; cbStolen: Cardinal; NtDllBase, NtDllLength: integer; p: pointer; h:dword; procedure TForm1.ShowMsg(s: string); begin Memo1.Lines.Add(s); end; procedure TForm1.Button1Click(Sender: TObject); label FakeCode, RtnCode; var // si: STARTUPINFO; // pi: PROCESS_INFORMATION; OriginalBytes: Array [0..4] of Char; HookJmp: PChar; Rtn: Cardinal; Bytes: Array [0..4] of Char; tmp: Cardinal; peb, ldr, flink: pointer; bs: DWORD; begin PtrReal := nil; NtDllLength := 0; NtDllBase := GetModuleHandle('ntdll.dll'); asm mov eax,fs:[$30] mov peb,eax end; ldr := pointer(dword(pointer(dword(peb)+12)^)); flink := pointer(dword(pointer(dword(ldr)+12)^)); p := flink; repeat bs := DWORD(pointer(dword(p)+$18)^); if bs = NtDllBase then begin NtDllLength := DWORD(pointer(dword(p)+$20)^); break; end; p := pointer(dword(p^)); until dword(flink) = dword(p^); if NtDllLength = 0 then ShowMsg('Can''t get ntdll.dll image size!'); { ShowMsg('Creating suspended process ...'); ZeroMemory(@si, sizeof(STARTUPINFO)); si.cb := sizeof(STARTUPINFO); CreateProcess(DesPath, nil, nil, nil, False, CREATE_SUSPENDED, nil, nil, si, pi); } ShowMsg('Preparing HOOK ' + Func2Hook + ' ...'); PtrReal := GetProcAddress(GetModuleHandle('Kernel32.dll'), Func2Hook); if Assigned(PtrReal) then ShowMsg('Real ' + Func2Hook + ' Addr: ' + inttohex(DWORD(PtrReal), 8)) else begin ShowMsg(' Addr: ' + Func2Hook + ' is unreadable! Exit!'); // ResumeThread(pi.hThread); Exit; end; ReadProcessMemory(GetCurrentProcess, PtrReal, @Bytes, 5, Rtn); // ReadProcessMemory(pi.hProcess, PtrReal, @Bytes, 5, Rtn); if Bytes[0] <> Chr($E9) then begin CopyMemory(@OriginalBytes, @Bytes, 5); ShowMsg(Func2Hook + ' havn''t been hooked!'); end else begin ShowMsg(Func2Hook + ' have been hooked! Exit!'); // ResumeThread(pi.hThread); exit; end; cbStolen :=0; while cbStolen < 5 do cbStolen := cbStolen + LDE32(Pointer(DWORD(PtrReal) + cbStolen)); ShowMsg('Let''s steal the first ' + inttostr(cbStolen) + ' bytes :)'); ShowMsg('But make it writable first ...'); if VirtualProtect(PtrReal ,cbStolen , PAGE_EXECUTE_READWRITE, @tmp) then ShowMsg('Make ' + inttohex(DWORD(PtrReal), 8) + ' writable succeed!') else begin ShowMsg('Hoops! Make ' + inttohex(DWORD(PtrReal), 8) + ' writable failed! Exit!!'); // ResumeThread(pi.hThread); exit; end; ShowMsg('Assemble Jmp codes & hook ' + Func2Hook + '...'); GetMem(HookJmp, 5); try HookJmp[0] := Chr($E9); asm push eax lea eax, FakeCode mov tmp, eax pop eax end; tmp := tmp - DWORD(PtrReal) - 5; CopyMemory(@HookJmp[1], @tmp, 4); asm push eax lea eax, RtnCode mov tmp, eax pop eax end; VirtualProtect(Pointer(tmp) ,cbStolen , PAGE_EXECUTE_READWRITE, @Rtn); CopyMemory(Pointer(tmp), PtrReal, cbStolen); WriteProcessMemory(GetCurrentProcess, PtrReal, HookJmp, 5, Rtn); // WriteProcessMemory(pi.hProcess, PtrReal, HookJmp, 5, Rtn); ShowMsg('Hook ' + Func2Hook + ' succeed! Resume thread!'); finally Freemem(HookJmp); // ResumeThread(pi.hThread); end; exit; FakeCode: //No strings from here on asm int 3 end; asm push eax lea eax, [esp+4] mov p, eax pop eax end; if dword(p^) - ntdllbase < NtDllLength then asm pop p pop eax pop eax pop eax mov eax, 0 jmp p // push p // ret end; //messagebox(0,pchar(p),'',0); RtnCode: asm nop nop nop nop nop nop nop nop nop nop nop nop nop mov eax, PtrReal add eax, cbStolen jmp eax end; end; var Ptr, ppp: Pointer; procedure TForm1.Button2Click(Sender: TObject); begin {asm call ppp; end; exit; } Button3Click(nil); Ptr := VirtualAlloc(nil, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE); if not Assigned(Ptr) then Memo1.Lines.Add('Fatal Error: VirtualAlloc failed!') else Memo1.Lines.Add('VirtualAlloc succeed! Ptr = ' + inttohex(DWord(Ptr), 8)); end; procedure TForm1.FormDestroy(Sender: TObject); begin Button3Click(nil); UnmapViewOfFile(ppp); CloseHandle(h); end; procedure TForm1.Button3Click(Sender: TObject); begin if Assigned(Ptr) then VirtualFree(Ptr, 0, MEM_RELEASE); end; procedure TForm1.FormCreate(Sender: TObject); begin h := CreateFileMapping($FFFFFFFF, nil, PAGE_READWRITE or SEC_COMMIT, 0, 1, 'pe'); ppp := MapVIEwOfFile(h,FILE_MAP_ALL_Access,0,0,0); caption := inttohex(dWord(ppp),8); char(ppp^) := Chr($C3); end; end. ====== Unit1裡有很多垃圾代碼,因為這個防hook的程序只是一個副產品。有用代碼寫成dll注入其他進程就可以防hook了,已經試過沒問題。代碼風格比較差,不過不知道怎麼改的更好(如將FakeCode部分放到單獨過程中)。如果你改好了希望能發給我一份。 MLDE32Unit代碼來自29A第七期,作者忘記了,不好意思。
