unit unit1; Antarmuka menggunakan windows, pesan, sysutils, varian, kelas, grafik, kontrol, formulir, dialog, stdctrls; ketik tform1 = class (tform) tombol1: tbutton; Memo1: tMemo; Button2: tbutton; Button3: tbutton; Prosedur Button1Click (pengirim: Tobject); Prosedur Button2Click (pengirim: Tobject); Prosedur Button3Click (pengirim: Tobject); Prosedur Formdestroy (pengirim: TOBJEK); Prosedur FormCreate (pengirim: Tobject); private {private decklarations} prosedur showmsg (s: string); Publik {Deklarasi Publik} akhir; var form1: tform1; implementasi {$ r *.dfm} menggunakan mlde32unit; constegath = 'c:/file program/borland/delphi6/proyek/adv apihook/test/vt.exe'; Func2hook = 'freelibrary'; var // harus menjadi variabel globle ptrreal: pointer; CBSTOLEN: Kardinal; Ntdllbase, ntdllllength: integer; P: Pointer; H: DWORD; Prosedur tForm1.showmsg (s: string); mulai memo1.lines.add (s); akhir; Prosedur TFORM1.BUTTON1CLICK (Pengirim: Tobject); label fakecode, rtncode; var // si: startupinfo; // pi: proses_information; OriginalBytes: Array [0..4] dari Char; Hookjmp: pchar; RTN: Kardinal; Bytes: array [0..4] dari char; TMP: Kardinal; PEB, LDR, Flink: Pointer; BS: DWORD; Mulai ptrreal: = nil; Ntdllllength: = 0; NtdllBase: = getModuleHandle ('ntdll.dll'); ASM MOV EAX, FS: [$ 30] MOV PEB, EAX END; ldr: = pointer (dword (pointer (dword (peb) +12)^)); Flink: = pointer (dword (pointer (dword (ldr) +12)^)); P: = Flink; Ulangi BS: = DWORD (Pointer (DWORD (P)+$ 18)^); jika bs = ntdllbase maka mulailah ntdllllength: = dword (pointer (dword (p)+$ 20)^); merusak; akhir; p: = pointer (dword (p^)); sampai dword (flink) = DWORD (p^); Jika ntdllllength = 0 maka showmsg ('tidak bisa mendapatkan ukuran gambar ntdll.dll!'); {Showmsg ('membuat proses yang ditangguhkan ...'); Zeromemory (@si, sizeof (startupInfo)); si.cb: = sizeof (startupInfo); CreateProcess (lalim, nil, nil, nil, false, create_suspended, nil, nil, si, pi); } Showmsg ('persiapan kait' + func2hook + '...'); Ptrreal: = getProcaddress (getModuleHandle ('kernel32.dll'), func2hook); jika ditugaskan (ptrreal) maka showmsg ('real' + func2hook + 'addr:' + intHeHex (dword (ptrreal), 8)) selain itu mulai showmsg ('addr:' + func2hook + 'tidak dapat dibaca! Keluar!'); // resumethread (pi.hthread); KELUAR; akhir; ReadProcessMemory (getCurrentProcess, ptrreal, @bytes, 5, rtn); // ReadProcessMemory (pi.hprocess, ptrreal, @bytes, 5, rtn); jika byte [0] <> chr ($ e9) Kemudian mulailah copymemory (@originalbytes, @bytes, 5); Showmsg (func2hook + 'havn''t beated!'); end lain mulai showmsg (func2hook + 'telah ketagihan! keluar!'); // resumethread (pi.hthread); KELUAR; akhir; CBSTOLEN: = 0; sedangkan CBStolen <5 do Cbstolen: = CBStolen + LDE32 (pointer (DWORD (ptrreal) + cbstolen)); Showmsg ('let' steal the first ' + inttoStr (cbstolen) +' bytes :) '); Showmsg ('tapi buatlah itu pertama -tama ...'); Jika virtualProtect (ptrreal, cbstolen, page_execute_readwrite, @tmp) kemudian showmsg ('make' + inttoHex (dword (ptrreal), 8) + 'writable gugted!' ), 8) + 'Writable gagal!'); // resumethread (pi.hthread); KELUAR; akhir; Showmsg ('rakitkan kode JMP & hook' + func2hook + '...'); GetMem (hookjmp, 5); coba hookjmp [0]: = chr ($ e9); ASM PUSH EAX LEA EAX, FakeCode MOV TMP, EAX POP EAX END; TMP: = TMP - DWORD (ptrreal) - 5; Copymemory (@hookjmp [1], @tmp, 4); ASM PUSH EAX LEA EAX, RTNCode MOV TMP, EAX POP EAX END; VirtualProtect (pointer (TMP), CBSTOLEN, PAGE_EXECUTE_READWRITE, @RTN); Copymemory (pointer (TMP), ptrreal, cbstolen); WriteProcessMemory (getCurrentProcess, ptrreal, hookjmp, 5, rtn); // writeProcessMemory (pi.hprocess, ptrreal, hookjmp, 5, rtn); Showmsg ('hook' + func2hook + 'SUCCECED! Resume Thread!'); akhirnya Freemem (hookjmp); // resumethread (pi.hthread); akhir; KELUAR; Fakecode: // tidak ada string dari sini di ASM int 3 end; ASM PUSH EAX LEA EAX, [ESP+4] MOV P, EAX POP EAX END; jika dword (p^) - ntdllbase <ntdlllength maka ASM pop p pop eax eax eax eax mov eax, 0 jmp p // dorong p // ret end; // MessageBox (0, PCHAR (P), '', 0); RTNCode: ASM nop nop nop nop nop nop nop nop nop nop nop nop mov eax, ptrreal add eax, cbstolen jmp eax end; akhir; var ptr, ppp: pointer; Prosedur TFORM1.BUTTON2CLICK (Pengirim: Tobject); Mulai {ASM Call PPP; akhir; KELUAR; } Button3Click (nil); Ptr: = virtualAlloc (nil, 1024, mem_commit, page_execute_readwrite); Jika tidak ditugaskan (ptr) maka memo1.lines.add ('kesalahan fatal: virtualAlloc gagal!') else memo1.lines.add ('virtualAlloc berhasil! ptr =' + inttoHex (dword (ptr), 8)); akhir; Prosedur TFORM1.FORMDESTROY (Pengirim: TOBJEKS); Begin Button3Click (nil); Unmapviewoffile (PPP); CloseHandle (h); akhir; Prosedur TFORM1.BUTTON3CLICK (Pengirim: Tobject); Mulailah jika ditugaskan (ptr) kemudian VirtualFree (ptr, 0, mem_release); akhir; Prosedur TFORM1.FORMCREATE (Pengirim: Tobject); Mulai h: = createFileMapping ($ ffffffff, nil, page_readwrite atau sec_commit, 0, 1, 'pe'); ppp: = mapViewoffile (h, file_map_all_access, 0,0,0); Keterangan: = IntOHex (DWORD (PPP), 8); char (ppp^): = chr ($ c3); akhir; akhir. ====== Unit1 里有很多垃圾代码 , 因为这个防 Hook 的程序只是一个副产品。有用代码写成 dll 注入其他进程就可以防 Hook 了 , 已经试过没问题。代码风格比较差 , 不过不知道怎么改的更好(如将 fakecode 部分放到单独过程中)。如果你改好了希望能发给我一份。 mlde32unit 代码来自 29a 第七期 , 作者忘记了 , 不好意思。