zoukankan      html  css  js  c++  java

  • R3 HOOK OpenProcess 的问题

    unit HookAPI;
//Download by http://www.codefans.net
interface

uses
   Windows, Classes;
function LocateFunctionAddress(Code: Pointer): Pointer;
function RepointFunction(OldFunc, NewFunc: Pointer): Integer;

type //定义一个入口结构
   PImage_Import_Entry = ^Image_Import_Entry;
   Image_Import_Entry = record
      Characteristics: DWORD;
      TimeDateStamp: DWORD;
      MajorVersion: Word;
      MinorVersion: Word;
      Name: DWORD;
      LookupTable: DWORD;
   end;

type //定义一个跳转的结构
   TImportCode = packed record
      JumpInstruction: Word; //定义跳转指令jmp
      AddressOfPointerToFunction: ^Pointer; //定义要跳转到的函数
   end;
   PImportCode = ^TImportCode;
implementation

function LocateFunctionAddress(Code: Pointer): Pointer;
var
   func: PImportCode;
begin
   Result := Code;
   if Code = nil then exit;
   try
      func := code;
      if (func.JumpInstruction = $25FF) then
      begin
         Result := func.AddressOfPointerToFunction^;
      end;
   except
      Result := nil;
   end;
end;

function RepointFunction(OldFunc, NewFunc: Pointer): Integer;
var
   IsDone: TList;
   function RepointAddrInModule(hModule: THandle; OldFunc, NewFunc: Pointer): Integer;
   var
      Dos: PImageDosHeader;
      NT: PImageNTHeaders;
      ImportDesc: PImage_Import_Entry;
      RVA: DWORD;
      Func: ^Pointer;
      DLL: string;
      f: Pointer;
      written: DWORD;
   begin
      Result := 0;
      Dos := Pointer(hModule);
      if IsDone.IndexOf(Dos) >= 0 then exit;
      IsDone.Add(Dos);

      OldFunc := LocateFunctionAddress(OldFunc);

      if IsBadReadPtr(Dos, SizeOf(TImageDosHeader)) then exit;
      if Dos.e_magic <> IMAGE_DOS_SIGNATURE then exit;
      NT := Pointer(Integer(Dos) + dos._lfanew);

      RVA := NT^.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT]
         .VirtualAddress;

      if RVA = 0 then exit;
      ImportDesc := pointer(integer(Dos) + RVA);
      while (ImportDesc^.Name <> 0) do
      begin
         DLL := PChar(Integer(Dos) + ImportDesc^.Name);
         RepointAddrInModule(GetModuleHandle(PChar(DLL)), OldFunc, NewFunc);
         Func := Pointer(Integer(DOS) + ImportDesc.LookupTable);
         while Func^ <> nil do
         begin
          f := LocateFunctionAddress(Func^);
          if f = OldFunc then
          begin
          WriteProcessMemory(GetCurrentProcess, Func, @NewFunc, 4, written);
          if Written > 0 then Inc(Result);
          end;
          Inc(Func);
         end;
         Inc(ImportDesc);
      end;
   end;

begin
   IsDone := TList.Create;
   try
      Result := RepointAddrInModule(GetModuleHandle(nil), OldFunc, NewFunc);
   finally
      IsDone.Free;
   end;
end;

    进行OpenProcess时,单个程序HOOK时会正常,但同时运行两个一样的程序时,就会出问题,有没有更稳定的办法

    可以看下AFXRootkit的代码.

    http://code.google.com/p/delphi-hook-library/

    http://bbs.2ccc.com/topic.asp?topicid=479563

    http://bbs.2ccc.com/topic.asp?topicid=525150
  • 相关阅读:
    (U3D)Time的使用
    (U3D)如何从RESOURCES文件夹动态加载图片
    codeforce 3C-3D(Greedy)
    codeforce 3A-3B(Greedy)
    读取bmp
    透视投影的原理和实现-转载
    Drainage Ditches USACO 4.2 (最大流,BFS)
    成员函数指针小记-转载
    codeforce 2A-2B
    字符串各种Hash算法比较-转载
  • 原文地址:https://www.cnblogs.com/findumars/p/6294871.html
Copyright © 2011-2022 走看看