直接關閉注入的程式或者取消HOOK就會掛掉
直接上代碼吧大佬幫我看看為什么
//APIHook 代碼
unit APIHook;
interface
uses
SysUtils,
Dialogs,
cq,
unitHook,
Windows, WinSock;
const
LogFile='c:\test.txt';
my_ws2 = 'ws2_32.dll';
//--------------------函式宣告---------------------------
procedure HookAPI;
procedure UnHookAPI;
procedure SaveInfo(var buf); stdcall;
function recvout(var Rbuf;RLen:Integer):Integer;
procedure writedat(s: string; datfile: string = logfile);
var
Hook: array[0..1] of TNtHookClass;
G_IsHook : Boolean;
implementation
function Mysenddata(s:TSocket;var Buf;len,flags:Integer):Integer;stdcall;
type
TMysenddata = function (s:TSocket;var Buf;len,flags:Integer):Integer;stdcall;
var
id:DWORD;
begin
Hook[0].UnHook;
recvout(Buf,len); //列印
Result := TMysenddata(Hook[0].BaseAddr)(s, Buf, len, flags);
Hook[0].Hook;
end;
procedure SaveInfo(var buf); stdcall;
var
f: file;
FileName:string;
begin
{保存為檔案資訊}
FileName:='c:\test.txt';
assignfile(f, FileName);
closefile(f);
end;
function recvout(var Rbuf;RLen:Integer):Integer;
Var
buf1:pchar;
i:integer;
ss,ff,kk:string;
Begin
buf1:=@Rbuf;
for i:=1 to Rlen do
Begin
ss:=ss+inttohex(byte(buf1^),2)+' ';
buf1:=buf1+1;
End;
writedat('封包內容'+'---+----'+'長度:'+inttostr(Rlen)+#$D#$A+ss,'c:\test.txt');
End;
{------------------------------------}
{程序功能:HookAPI
{程序引數:無
{------------------------------------}
procedure HookAPI;
begin
if not G_IsHook then
begin
G_IsHook:=True;
Hook[0] := TNtHookClass.Create(my_ws2, 'Send', @Mysenddata);
end;
end;
{------------------------------------}
{程序功能:取消HOOKAPI
{程序引數:無
{------------------------------------}
procedure UnHookAPI;
begin
Hook[0].UnHook; //這里有什么問題嗎???會死掉
end;
procedure WriteDat(s: string; datfile: string = logfile);
var
h: integer;
begin
try
if FileExists(datfile) then
begin
h := FileOpen(datfile, fmOpenWrite);
fileseek(h, 0, 2);
//deletefile(datfile);
end
else exit; //h := filecreate(datfile);
if h = -1 then exit;
s := s + #$0D + #$0A;
FileWrite(h, s[1], length(s));
FileClose(h);
except
end;
end;
end.
-----------------------------------------------
//unitHook代碼
unit unitHook;
interface
uses
Windows, Messages, Classes, SysUtils;
type
//NtHook類相關型別
TNtJmpCode=packed record //8位元組
MovEax:Byte;
Addr:DWORD;
JmpCode:Word;
dwReserved:Byte;
end;
TNtHookClass=class(TObject)
private
hProcess:THandle;
NewAddr:TNtJmpCode;
OldAddr:array[0..7] of Byte;
ReadOK:Boolean;
public
BaseAddr:Pointer;
constructor Create(DllName,FuncName:string;NewFunc:Pointer);
destructor Destroy; override;
procedure Hook;
procedure UnHook;
end;
implementation
//==================================================
//NtHOOK 類開始
//==================================================
constructor TNtHookClass.Create(DllName: string; FuncName: string;NewFunc:Pointer);
var
DllModule:HMODULE;
dwReserved:DWORD;
begin
//獲取模塊句柄
DllModule:=GetModuleHandle(PChar(DllName));
//如果得不到說明未被加載
if DllModule=0 then
begin
OutputDebugString(PChar('要 HOOK 的 DLL 未被加載'));
DllModule:=LoadLibrary(PChar(DllName));
end;
OutputDebugString(PChar('模塊 DllModule: ' + IntToHex(DllModule, 8)));
//得到模塊入口地址(基址)
BaseAddr:=Pointer(GetProcAddress(DllModule, PChar(FuncName)));
OutputDebugString(PChar('模塊入口地址(基址): ' + IntToHex(Integer(@BaseAddr), 8)));
//獲取當前行程句柄
hProcess:=GetCurrentProcess;
//指向新地址的指標
NewAddr.MovEax:=$B8;
NewAddr.Addr:=DWORD(NewFunc);
NewAddr.JmpCode:=$E0FF;
//保存原始地址
ReadOK:=ReadProcessMemory(hProcess,BaseAddr,@OldAddr,8,dwReserved);
//開始攔截
Hook;
end;
//釋放物件
destructor TNtHookClass.Destroy;
begin
UnHook;
CloseHandle(hProcess);
inherited;
end;
//開始攔截
procedure TNtHookClass.Hook;
var
dwReserved:DWORD;
begin
if (ReadOK=False) then
begin
OutputDebugString(PChar('Hook ReadOK = False'));
Exit;
end;
if not WriteProcessMemory(hProcess,BaseAddr,@NewAddr,8,dwReserved) then
OutputDebugString(PChar(' Hook Error...'));
end;
//恢復攔截
procedure TNtHookClass.UnHook;
var
dwReserved:DWORD;
begin
if (ReadOK=False) then
begin
OutputDebugString(PChar('UnHook ReadOK = False'));
Exit;
end;
if not WriteProcessMemory(hProcess,BaseAddr,@OldAddr,8,dwReserved) then
OutputDebugString(PChar(' UnHook Error...'));
end;
end.
轉載請註明出處,本文鏈接:https://www.uj5u.com/houduan/11167.html
上一篇:諾諾網的電子發票加密