單位1;接口使用Windows,消息,Sysutils,變體,類,圖形,控件,表單,對話框,STDCTRLS;鍵入tform1 = class(tform)按鈕1:tbutton; MEMO1:TMEMO; Button2:tbutton; Button3:Tbutton;過程button1Click(發件人:tobject);過程button2Click(發件人:tobject);過程button3Click(發件人:tobject);過程FormDestroy(發件人:tobject);過程FormCreate(發送者:tobject);私人{私有聲明}過程showmsg(s:string);公共{公開聲明}結束; var form1:tform1;實現{$ r *.dfm}使用mlde32unit; const despath ='c:/program文件/borland/delphi6/projects/adv apihook/test/vt.exe'; func2hook ='Freelibrary'; var //必須是一個globle變量ptrreal:指針; CBSTOLEN:紅衣主教; ntdllbase,ntdllllength:integer; P:指針; h:dword;過程tform1.showmsg(s:string);開始memo1.lines.Add(s);結尾;過程tform1.button1Click(發件人:tobject);標籤fakecode,rtncode; var // si:startupinfo; // pi:process_information;原始by:char的數組[0..4]; hookjmp:pchar; RTN:紅衣主教;字節:char的數組[0..4]; TMP:紅衣主教; Peb,LDR,Flink:指針; BS:dword;開始ptrreal:= nil; ntdllllength:= 0; ntdllbase:= getModuleHandle('ntdll.dll'); ASM MOV EAX,FS:[$ 30] MOV PEB,EAX END; ldr:=指針(dword(dord(dword(peb)+12)^)); FLINK:=指針(DWORD(DOWER(DWORD(LDR)+12)^)); p:= flink;重複BS:= dword(指針(dword(p)+$ 18)^);如果bs = ntdllbase,則開始ntdllllength:= dword(pointer(dword(p)+$ 20)^)^);休息;結尾; p:=指針(dword(p^));直到dword(flink)= dword(p^);如果ntdlllength = 0,則Showmsg('can's can not ntdll.dll映像大小!'); {showmsg('創建暫停過程...'); zeromemory(@si,sizeof(startupinfo)); si.cb:= sizeof(startupinfo); CreateProcess(Despath,nil,nil,nil,false,create_suspended,nil,nil,si,pi); } showmsg('準備鉤' + func2hook +'...'); ptrreal:= getProcAddress(getModulehandle('kernel32.dll'),func2hook);如果分配(ptrreal),則showmsg('real' + func2hook +'addr:' + inttohex(dword(ptrreal),8))else begin showmsg('addr:' + func2hook +'是不可讀!exit!exit! '); //恢復(pi.hthread);出口;結尾; ReadProcessMemory(getCurrentProcess,ptrreal, @bytes,5,rtn); // ReadProcessMemory(pi.hprocess,ptrreal, @bytes,5,rtn);如果字節[0] <> chr($ e9),則開始copymemory(@originalbytes, @bytes,5); Showmsg(func2hook +'havn't't han de Hood!'); and else begin showmsg(func2hook +'已迷上了!退出!'); //恢復(pi.hthread);出口;結尾; cbstolen:= 0;而cbstolen <5 do cbstolen:= cbstolen + lde32(指針(dword(ptrreal) + cbstolen)); Showmsg('Let''s竊取第一個' + inttoStr(cbstolen) +'bytes :)'); Showmsg(“但首先讓它寫作...”);如果VirtualProtect(ptrreal,cbstolen,page_execute_readwrite,@tmp),則showmsg('make'' + inttohex(dword(ptrreal),8),8) +'writable oter! ),8) +“解脫”!'); //恢復(pi.hthread);出口;結尾; Showmsg('組裝JMP代碼&Hook' + func2hook +'...'); GetMem(Hookjmp,5);嘗試hookjmp [0]:= chr($ e9); ASM推動Eax Lea Eax,Fakecode Mov TMP,Eax Pop Eax End; tmp:= tmp -dword(ptrreal)-5; copymemory(@hookjmp [1],@tmp,4); ASM推動Eax Lea Eax,Rtncode Mov TMP,Eax Pop Eax End; VirtualProtect(Pointer(TMP),cbstolen,page_execute_readwrite,@rtn); copymemory(指針(TMP),ptrreal,cbstolen); writeProcessMemory(getCurrentProcess,ptrreal,hookjmp,5,rtn); // writeProcessMemory(pi.hprocess,ptrreal,hookjmp,5,rtn); Showmsg('Hook' + func2hook +'成功!簡歷線程!');終於freemem(hookjmp); //恢復(pi.hthread);結尾;出口; fakecode:// aSM int 3端上沒有字符串; ASM推動Eax Lea Eax,[ESP+4] Mov P,Eax Pop Eax End;如果dword(p^) - ntdllbase <ntdllllength,則ASM POP P POP POP EAX POP EAX POP EAX MOV EAX,0 JMP p //推動P // pers p // ret End; // MessageBox(0,PCHAR(P),'',0); RtnCode: asm nop nop nop nop nop nop nop nop nop nop nop nop nop mov eax, PtrReal add eax, cbStolen jmp eax end;結尾; var ptr,PPP:指針;過程tform1.button2Click(發件人:tobject);開始{ASM調用PPP;結尾;出口; } button3Click(nil); ptr:= virtualalloc(nil,1024,mem_commit,page_execute_readwrite);如果未分配(ptr),則memo1.lines.Add('致命錯誤:VirtualAlloc失敗!')else memo1.lines.Add('VirtualAlloc cusser!結尾;過程tform1.formdestroy(發件人:tobject);開始Button3Click(nil); UnmapViewOffile(PPP);關閉手(H);結尾;過程tform1.button3click(發件人:tobject);如果分配了(PTR),則開始使用VirtualFree(PTR,0,MEM_RELEASE);結尾;過程tform1.formCreate(發件人:tobject);開始h:= createFileMapping($ ffffffff,nil,page_readwrite或sec_commit,0,1,'pe'); ppp:= mapViewOffile(h,file_map_all_access,0,0,0);字幕:= inttohex(dword(ppp),8); char(ppp^):= chr($ c3);結尾;結尾。 ======== uite1裡有很多垃圾代碼怎麼改的更好(如將(fakecode部分放到單獨過程中)。如果你改好了希望能發給我一份。mlde32unit代碼來自29a第七期,作者忘記了,不好意思。,不好意思。