R3 HOOK OpenProcess 的问题
2017-01-17 22:01
316 查看
unit HookAPI; //Download by http://www.codefans.net interface uses Windows, Classes; function LocateFunctionAddress(Code: Pointer): Pointer; function RepointFunction(OldFunc, NewFunc: Pointer): Integer; type //定义一个入口结构 PImage_Import_Entry = ^Image_Import_Entry; Image_Import_Entry = record Characteristics: DWORD; TimeDateStamp: DWORD; MajorVersion: Word; MinorVersion: Word; Name: DWORD; LookupTable: DWORD; end; type //定义一个跳转的结构 TImportCode = packed record JumpInstruction: Word; //定义跳转指令jmp AddressOfPointerToFunction: ^Pointer; //定义要跳转到的函数 end; PImportCode = ^TImportCode; implementation function LocateFunctionAddress(Code: Pointer): Pointer; var func: PImportCode; begin Result := Code; if Code = nil then exit; try func := code; if (func.JumpInstruction = $25FF) then begin Result := func.AddressOfPointerToFunction^; end; except Result := nil; end; end; function RepointFunction(OldFunc, NewFunc: Pointer): Integer; var IsDone: TList; function RepointAddrInModule(hModule: THandle; OldFunc, NewFunc: Pointer): Integer; var Dos: PImageDosHeader; NT: PImageNTHeaders; ImportDesc: PImage_Import_Entry; RVA: DWORD; Func: ^Pointer; DLL: string; f: Pointer; written: DWORD; begin Result := 0; Dos := Pointer(hModule); if IsDone.IndexOf(Dos) >= 0 then exit; IsDone.Add(Dos); OldFunc := LocateFunctionAddress(OldFunc); if IsBadReadPtr(Dos, SizeOf(TImageDosHeader)) then exit; if Dos.e_magic <> IMAGE_DOS_SIGNATURE then exit; NT := Pointer(Integer(Dos) + dos._lfanew); RVA := NT^.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT] .VirtualAddress; if RVA = 0 then exit; ImportDesc := pointer(integer(Dos) + RVA); while (ImportDesc^.Name <> 0) do begin DLL := PChar(Integer(Dos) + ImportDesc^.Name); RepointAddrInModule(GetModuleHandle(PChar(DLL)), OldFunc, NewFunc); Func := Pointer(Integer(DOS) + ImportDesc.LookupTable); while Func^ <> nil do begin f := LocateFunctionAddress(Func^); if f = OldFunc then begin WriteProcessMemory(GetCurrentProcess, Func, @NewFunc, 4, written); if Written > 0 then Inc(Result); end; Inc(Func); end; Inc(ImportDesc); end; end; begin IsDone := TList.Create; try Result := RepointAddrInModule(GetModuleHandle(nil), OldFunc, NewFunc); finally IsDone.Free; end; end;
进行OpenProcess时,单个程序HOOK时会正常,但同时运行两个一样的程序时,就会出问题,有没有更稳定的办法
可以看下AFXRootkit的代码.
http://code.google.com/p/delphi-hook-library/
http://bbs.2ccc.com/topic.asp?topicid=479563 http://bbs.2ccc.com/topic.asp?topicid=525150
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- inline hook NtOpenProcess学习资料以及总结问题
- API 通过HOOK OpenProcess() 实现进程防杀
- NtOpenProcess被HOOK,跳回原函数地址后仍然无法看到进程
- API 通过HOOK OpenProcess() 实现进程防杀
- 新手学ssdt_hook_ntopenprocess
- 内核编程之SSDTHook(2)Hook NtOpenProcess实现进程保护
- NtOpenProcess被HOOK,跳回原函数地址后仍然无法看到进程
- 用HOOK OpenProcess实现不能被终止的程序
- Hook SSDT NtOpenProcess的完整代码
- HOOK NtOpenProcess 保护指定进程
- Hook SSDT NtOpenProcess的完整代码
- 64位下Hook NtOpenProcess的实现进程保护 + 源码 (升级篇 )
- HOOK SSDT NtOpenProcess 保护进程
- HOOK Openprocess时间进程防查杀
- Hook SSDT NtOpenProcess的完整代码
- 实现hook OpenProcess实现ring3保护进程、代码
- 通过windbg 得到我们要 hook 的api 地址的方法以及 hook NtOpenProcess 的例子。。。
- NtOpenProcess被HOOK,跳回原函数地址后仍然无法看到进程
- SSDT HOOK,通过hook NtOpenProcess达到保护制定进程效果
- Generic host process for win32 services遇到问题需要关闭 推荐