About API Hook, I believe that everyone knows more than I know, you should remember programming in DOS, often use the technology that intercepted interrupt vectors so that we can set new interrupt service programs, so when a new program is called this interrupt When vector, it will call our own interrupt programs, then call the original interrupt program so that we will be extraordinary control, and many virus programs are like this. In Windows, similar techniques can also be used. When the system calls an API function, it will enter the function we set first. The working principle and the DOS interrupt are similar, this technology has a lot of name, like "trap technology "," Re-entry technology ". But I think the API Hook is better! These technologies are also available in many software, like "Jinshan Words". Ha ha ~~~ It is not intentional to take the product of Jinshan Company! This software uses this technology, like when you point your mouse to a word, then a window is displayed. This is the principle of hooks. Said so much nonsense, saying that it is right, to make your code correctly, the function must be the same as the same form of the API function to be rewritten. I intercept the two functions of Messageboxa and MessageBoxw in the program. Such as:
FUCTION MYBOXA (HWN: HWnd; iptext: pcter; ipcapion: pchar; utype: cardinal: interger; stdcall;
FUCTION MyBOXW (hwn: hwnd; iptext: pchter; ipcapiom: pchar; utype: cardinal): interger; stdcall;
Here I used the stdcall keyword. I have said that the input and exiting stack of the function of the function is the same as the interception function, and the code in the memory is not allowed to directly modify the code, but can call a function to use : WriteProcessMemory. Of course, some people ask this can't be rewritten, but I use it very well! Maybe use it will have some bugs, but I don't know, people know, please give me a letter.
In the PE file, when you call the function columns in another module, such as: user32.dll's getMessage), the compiled CALL instruction does not pass the control directly to the function in the DLL, but passed to JMP DWORD PTR [xxxxxxxx] instruction, [xxxxxxxxx] There is a true address (entry point) of the function, to get the API function, you can write: address: = @ MessageBoxa. As mentioned above, here only got a jump instruction, and the next MessageBoxa is the place where the code starts. The following program I define a structure (using a packed key)
TLMPortcode = Packed Record
Jumplnstruction: Word; // is $ 25FF, JUMP instruction
AddressoftPointer TOFunction: ppoint; // Really started the address
END;
PLMPORTCODE = ^ TLPORTCODE;
Here, PPOINTER = ^ Pointer; Returns the true address of the function with the following function:
Function TruefunctionAddress (Func: Pointer): Pointer;
VAR
PLMPORTCODE;
Begin
Result: = func;
IF func = nil kil dam
Code: = func;
IF (code.jumplnstruction = $ 25ff) THEN Begin
Result: = code.addressofpointer Tofunction ^;
END;
Except
Result: = NIL;
END;
END;
In this way, just replace it with your own function. Replacement function:
Procedure permutefunction (oldfunc: ppoint; newfunc: poiner);
VAR
Written: DWORD;
Begin
WriteProcessMemory (getCurrentProcess, Oldfunc, @ newfunc, 4, written);
END;
Create a new API Hook, save the above.
Create a new Application Try1, the primary Form's cell name is used with TRYUnit1. Add the top Hook, create a Unit Mess, add the following code:
Unit Mess
Interface
Uses
Windows, Message, Sysutils, Classes, APIHOK
Procedure API_HOOKUP;
Procedure un_API_hook;
VAR
FuncMessageboxa, FuncMessagew; PLMPORTCODE;
IMPLEMentation
Type
TMESSAGEA = Function (hwn: hwnd; iptext: pchar; ipcapion: pchar; utype: cardinal: interger; stdcall;
TMESSAGEW = Function (hw: hwnd; iptext: pchar; ipcapion: pchar; utype: cardinal: interger; stdcall;
VAR
OldMessageBoxa: tMessagea;
OldMessageBoxw: tMessagew;
Functionj MyBOXA (HWN: HWnd; iptext: pchar; ipcapion: pchar; utype: cardinal: interger; stdcall;
Begin
Result: = OldMessageBoxa (HWN, 'SUCCES HOOK A!', IPCAPION, UTYPE);
END;
Functionj MyBoxw (hwn: hwnd; iptext: pchar; ipcapion: pchar; utype: cardinal: interger; stdcall;
Result: = OldMessageBoxw (HWN, 'successfully hanging W!' ipcapion, utype);
END;
Procedure API_HOOKUP;
Begin
IF @oldMessageBoxa = nil dam
@OleMessageBoxa = TruefunctionAddress (@MessageBoxa);
IF @oldMessageBoxw = nil dam
@OleMessageBoxw = truefunctionaddress; @MESSAGEBOXW);
Permutefunction (FuncMessageboxa, AddressofpointerTofunction, @ myboxa);
Permutefunction (FuncMessageBoxw, AddressofpointersterTofunction, @ myboxw);
End; Procedure Un_API_HOOK;
Begin
IF @oldMessageBoxa <> nil dam
Permutefunction (FuncMessageboxa, Addressofpointer Tofunction, @ OldMessageBoxa);
Permutefunction (FuncMessageBoxw, Addressofpointer Tofunction, @ OldMessageBoxw);
END;
END;
INITIALIZATION
FundMessageBoxa: = @mesageboxa;
FundMessageBoxw: = @mesageboxw;
END;
Add a three button to the main form, add the code of the onclick event, as follows:
Procedure TFORM1.BUTTON1CLICK (Sender: TOBJECT);
Begin
API_HOOK;
END;
Procedure TFORM1.BUTTON3CLICK (Sender: TOBJECT);
UN_API_HOOK;
END;
Procedure TFORM1.BUTTON2CLICK (Sender: TOBJECT);
Begin
MessageBoxa (Form1.Handle, 'NO Hook Up A', 'MessageBoxa', MB_OK);
MessageBoxw (Form1.Handle, 'NO Hook Up W', 'MessageBoxw', MB_OK);
MessageBox (Form1.Handle, 'NO Hook Up Box', 'Messagebox', MB_OK);
END;
Run TRY1 first, run TestTry. Look at the results, APIHOOK is only hung in Try1, and does not hang in the system process. When you think about the mouse hook, use SetWindowshookex to hang the mouse hook, when other processes send mouse messages Our program will intercept and respond, you can also use uphooklwindowshookex to release the mouse hook, which we know, should hang the hook for our function, of course, you have to know that the mouse hook has a variety of messages to respond process. There are two ways to imitate SetWindowsHookex, prepare yourself MySetWindowsHookex. There is also another function provided by Windows: getMsgProc. This function is very clear in Delphi Help. Our purpose is to hang the Wh_getMessage message hook in the dynamic link library. When other processes make this function, we load our dynamic link library. If our DLL is loaded automatically, you can let other processes hang our API Hook.
The second program I will write next time.
