单位1;接口使用Windows,消息,Sysutils,变体,类,图形,控件,表单,对话框,STDCTRLS;键入tform1 = class(tform)按钮1:tbutton; MEMO1:TMEMO; Button2:tbutton; Button3:Tbutton;过程button1Click(发件人:tobject);过程button2Click(发件人:tobject);过程button3Click(发件人:tobject);过程FormDestroy(发件人:tobject);过程FormCreate(发送者:tobject);私人{私有声明}过程showmsg(s:string);公共{公开声明}结束; var form1:tform1;实现{$ r *.dfm}使用mlde32unit; const despath ='c:/program文件/borland/delphi6/projects/adv apihook/test/vt.exe'; func2hook ='Freelibrary'; var //必须是一个globle变量ptrreal:指针; CBSTOLEN:红衣主教; ntdllbase,ntdllllength:integer; P:指针; h:dword;过程tform1.showmsg(s:string);开始memo1.lines.Add(s);结尾;过程tform1.button1Click(发件人:tobject);标签fakecode,rtncode; var // si:startupinfo; // pi:process_information;原始by:char的数组[0..4]; hookjmp:pchar; RTN:红衣主教;字节:char的数组[0..4]; TMP:红衣主教; Peb,LDR,Flink:指针; BS:dword;开始ptrreal:= nil; ntdllllength:= 0; ntdllbase:= getModuleHandle('ntdll.dll'); ASM MOV EAX,FS:[$ 30] MOV PEB,EAX END; ldr:=指针(dword(dord(dword(peb)+12)^)); FLINK:=指针(DWORD(DOWER(DWORD(LDR)+12)^)); p:= flink;重复BS:= dword(指针(dword(p)+$ 18)^);如果bs = ntdllbase,则开始ntdllllength:= dword(pointer(dword(p)+$ 20)^)^);休息;结尾; p:=指针(dword(p^));直到dword(flink)= dword(p^);如果ntdlllength = 0,则Showmsg('can's can not ntdll.dll映像大小!'); {showmsg('创建暂停过程...'); zeromemory(@si,sizeof(startupinfo)); si.cb:= sizeof(startupinfo); CreateProcess(Despath,nil,nil,nil,false,create_suspended,nil,nil,si,pi); } showmsg('准备钩' + func2hook +'...'); ptrreal:= getProcAddress(getModulehandle('kernel32.dll'),func2hook);如果分配(ptrreal),则showmsg('real' + func2hook +'addr:' + inttohex(dword(ptrreal),8))else begin showmsg('addr:' + func2hook +'是不可读!exit!exit!'); //恢复(pi.hthread);出口;结尾; ReadProcessMemory(getCurrentProcess,ptrreal, @bytes,5,rtn); // ReadProcessMemory(pi.hprocess,ptrreal, @bytes,5,rtn);如果字节[0] <> chr($ e9),则开始copymemory(@originalbytes, @bytes,5); Showmsg(func2hook +'havn't't han de Hood!'); and else begin showmsg(func2hook +'已迷上了!退出!'); //恢复(pi.hthread);出口;结尾; cbstolen:= 0;而cbstolen <5 do cbstolen:= cbstolen + lde32(指针(dword(ptrreal) + cbstolen)); Showmsg('Let''s窃取第一个' + inttoStr(cbstolen) +'bytes :)'); Showmsg(“但首先让它写作...”);如果VirtualProtect(ptrreal,cbstolen,page_execute_readwrite,@tmp),则showmsg('make'' + inttohex(dword(ptrreal),8),8) +'writable oter! ),8) +“解脱”!'); //恢复(pi.hthread);出口;结尾; Showmsg('组装JMP代码&Hook' + func2hook +'...'); GetMem(Hookjmp,5);尝试hookjmp [0]:= chr($ e9); ASM推动Eax Lea Eax,Fakecode Mov TMP,Eax Pop Eax End; tmp:= tmp -dword(ptrreal)-5; copymemory(@hookjmp [1],@tmp,4); ASM推动Eax Lea Eax,Rtncode Mov TMP,Eax Pop Eax End; VirtualProtect(Pointer(TMP),cbstolen,page_execute_readwrite,@rtn); copymemory(指针(TMP),ptrreal,cbstolen); writeProcessMemory(getCurrentProcess,ptrreal,hookjmp,5,rtn); // writeProcessMemory(pi.hprocess,ptrreal,hookjmp,5,rtn); Showmsg('Hook' + func2hook +'成功!简历线程!');终于freemem(hookjmp); //恢复(pi.hthread);结尾;出口; fakecode:// aSM int 3端上没有字符串; ASM推动Eax Lea Eax,[ESP+4] Mov P,Eax Pop Eax End;如果dword(p^) - ntdllbase <ntdllllength,则ASM POP P POP POP EAX POP EAX POP EAX MOV EAX,0 JMP p //推动P // pers p // ret End; // MessageBox(0,PCHAR(P),'',0); RtnCode: asm nop nop nop nop nop nop nop nop nop nop nop nop nop mov eax, PtrReal add eax, cbStolen jmp eax end;结尾; var ptr,PPP:指针;过程tform1.button2Click(发件人:tobject);开始{ASM调用PPP;结尾;出口; } button3Click(nil); ptr:= virtualalloc(nil,1024,mem_commit,page_execute_readwrite);如果未分配(ptr),则memo1.lines.Add('致命错误:VirtualAlloc失败!')else memo1.lines.Add('VirtualAlloc cusser!结尾;过程tform1.formdestroy(发件人:tobject);开始Button3Click(nil); UnmapViewOffile(PPP);关闭手(H);结尾;过程tform1.button3click(发件人:tobject);如果分配了(PTR),则开始使用VirtualFree(PTR,0,MEM_RELEASE);结尾;过程tform1.formCreate(发件人:tobject);开始h:= createFileMapping($ ffffffff,nil,page_readwrite或sec_commit,0,1,'pe'); ppp:= mapViewOffile(h,file_map_all_access,0,0,0);字幕:= inttohex(dword(ppp),8); char(ppp^):= chr($ c3);结尾;结尾。 ======== uite1里有很多垃圾代码怎么改的更好(如将(fakecode部分放到单独过程中)。如果你改好了希望能发给我一份。mlde32unit代码来自29a第七期,作者忘记了,不好意思。,不好意思。