您所在位置:主题:APIHOOK的问题
xf_z
[专家分:0] 发布于 2008-01-14 19:37:00
为什么一直出错呀
unit apihook ;
interface
uses
SysUtils, Windows, WinSock, Dialogs;
type
{ 要HOOK的API函数定义 }
TWideToMulti = function (cp:cardinal; deflags:cardinal; lpWideChar:PWideChar;
cchWideChar:Integer; lpMultiByteStr:PAnsiChar; cchMultiByte:Integer;
lpDefaultChar:PAnsiChar; lpUsedDefaultChar:PBOOL): Integer; stdcall;
procedure HookAPI;
procedure UnHookAPI;
var
ProcessHandle: HWND;
BaseAddress: array [0..2] of Pointer;
OldProc: array [0..2] of array [0..7] of Byte;
NewPorc: array [0..2] of array [0..7] of Byte;
implementation
function MyWideToMulti(cp:cardinal; deflags:cardinal; lpWideChar:PWideChar;
cchWideChar:Integer; lpMultiByteStr:PAnsiChar; cchMultiByte:Integer;
lpDefaultChar:PAnsiChar; lpUsedDefaultChar:PBOOL): Integer; stdcall;
var
nSize: Cardinal;
begin
{ 显示}
//ShowMessage(String(lpWideChar));
WriteProcessMemory(ProcessHandle, BaseAddress[0], @OldProc[0], 8, nSize);//這一句是修改成原來函數的地址
Result := WideCharToMultiByte(cp, deflags, lpWideChar,
cchWideChar, lpMultiByteStr, cchMultiByte,
lpDefaultChar, lpUsedDefaultChar) ;
WriteProcessMemory(ProcessHandle, BaseAddress[0], @NewPorc[0], 8, nSize);//在程序正常打開後再修改成自定義函數的地址,使所有程序在下次打開時都要先調用自定義函數
// UnHookAPI;
end;
procedure HookAPI;
var
DLLModule: THandle;
nSize: Cardinal;
Dat: DWORD;
Tmp : array [0..3] of Byte;
begin
ProcessHandle := DWORD(-1);
DLLModule := LoadLibrary('kernel32.dll');
{ 系统函数入口点地址 }
BaseAddress[0] := GetProcAddress(DLLModule,'WideCharToMultiByte');
Dat := DWORD(@MyWideToMulti);
Move(Dat, Tmp, 4);
NewPorc[0][0] := $B8; { 汇编跳转指令 }
NewPorc[0][1] := Tmp[0]; { 跳转到自身的函数 }
NewPorc[0][2] := Tmp[1];
NewPorc[0][3] := Tmp[2];
NewPorc[0][4] := Tmp[3];
NewPorc[0][5] := $FF;
NewPorc[0][6] := $E0;
NewPorc[0][7] := 0;
{ 读取系统函数内存地址 }
ReadProcessMemory(ProcessHandle, BaseAddress[0], @OldProc[0], 8, nSize);
{ 用自己的函数地址覆盖系统的函数地址 }
WriteProcessMemory(ProcessHandle, BaseAddress[0], @NewPorc[0], 8, nSize);
CloseHandle(ProcessHandle);
end;
procedure UnHookAPI;
var
nSize: Cardinal;
begin
{ 恢复所修改的地址 }
WriteProcessMemory(ProcessHandle, BaseAddress[0], @OldProc[0], 8, nSize);
end;
end.
unit apihook ;
interface
uses
SysUtils, Windows, WinSock, Dialogs;
type
{ 要HOOK的API函数定义 }
TWideToMulti = function (cp:cardinal; deflags:cardinal; lpWideChar:PWideChar;
cchWideChar:Integer; lpMultiByteStr:PAnsiChar; cchMultiByte:Integer;
lpDefaultChar:PAnsiChar; lpUsedDefaultChar:PBOOL): Integer; stdcall;
procedure HookAPI;
procedure UnHookAPI;
var
ProcessHandle: HWND;
BaseAddress: array [0..2] of Pointer;
OldProc: array [0..2] of array [0..7] of Byte;
NewPorc: array [0..2] of array [0..7] of Byte;
implementation
function MyWideToMulti(cp:cardinal; deflags:cardinal; lpWideChar:PWideChar;
cchWideChar:Integer; lpMultiByteStr:PAnsiChar; cchMultiByte:Integer;
lpDefaultChar:PAnsiChar; lpUsedDefaultChar:PBOOL): Integer; stdcall;
var
nSize: Cardinal;
begin
{ 显示}
//ShowMessage(String(lpWideChar));
WriteProcessMemory(ProcessHandle, BaseAddress[0], @OldProc[0], 8, nSize);//這一句是修改成原來函數的地址
Result := WideCharToMultiByte(cp, deflags, lpWideChar,
cchWideChar, lpMultiByteStr, cchMultiByte,
lpDefaultChar, lpUsedDefaultChar) ;
WriteProcessMemory(ProcessHandle, BaseAddress[0], @NewPorc[0], 8, nSize);//在程序正常打開後再修改成自定義函數的地址,使所有程序在下次打開時都要先調用自定義函數
// UnHookAPI;
end;
procedure HookAPI;
var
DLLModule: THandle;
nSize: Cardinal;
Dat: DWORD;
Tmp : array [0..3] of Byte;
begin
ProcessHandle := DWORD(-1);
DLLModule := LoadLibrary('kernel32.dll');
{ 系统函数入口点地址 }
BaseAddress[0] := GetProcAddress(DLLModule,'WideCharToMultiByte');
Dat := DWORD(@MyWideToMulti);
Move(Dat, Tmp, 4);
NewPorc[0][0] := $B8; { 汇编跳转指令 }
NewPorc[0][1] := Tmp[0]; { 跳转到自身的函数 }
NewPorc[0][2] := Tmp[1];
NewPorc[0][3] := Tmp[2];
NewPorc[0][4] := Tmp[3];
NewPorc[0][5] := $FF;
NewPorc[0][6] := $E0;
NewPorc[0][7] := 0;
{ 读取系统函数内存地址 }
ReadProcessMemory(ProcessHandle, BaseAddress[0], @OldProc[0], 8, nSize);
{ 用自己的函数地址覆盖系统的函数地址 }
WriteProcessMemory(ProcessHandle, BaseAddress[0], @NewPorc[0], 8, nSize);
CloseHandle(ProcessHandle);
end;
procedure UnHookAPI;
var
nSize: Cardinal;
begin
{ 恢复所修改的地址 }
WriteProcessMemory(ProcessHandle, BaseAddress[0], @OldProc[0], 8, nSize);
end;
end.