Talking about API HOOK Technology (1)
Apihook has always been a topic that makes everyone interested. This technology is involved in the screen, internal code conversion, screen translation, Chinese platform, etc. There are a lot of articles involving this technology, but all flashes their words that are not willing to understand the public. I only publish some of the experiences of using Delphi to make APIHOOK. The usual APIHOK has several methods: 1, write a dynamic link library, define the API you want to replace the system yourself. Map this dynamic link library to a space in which the system dynamic link library is located, point to your own functionality in the system dynamic link library. The advantage of this method is that the API can be replaced in the system to run all programs. But he has a limitations, just apply to Win9x. (The reason is that the dynamic link library in the NT is not shared, each process has its own dynamic link library mapping in memory) 2, write a dynamic link library, define yourself to write an API of the alternative system. Map this dynamic link library into the space of the process. Point the process to the API call to your written dynamic link library. The advantage of this method is which process of selectively replacing which process. And suitable for all Windows operating systems. Here I am using the second method. The second approach needs to understand the knowledge of a PE file format first. The first is a real mode DOS file header, is to keep and DOS compatibility. Next, it is a DOS agent module. You run the Win32 executable in pure DOS, see if it is also performed, just displaying the information is that the Windows program cannot run in DOS real mode. Then is the file header of the true Windows executable file. Its specific location is not fixed every time. It is determined by the file offset $ 3c. What we have to use is it. If we call a messageboxa function in the program, its implementation process is like this. He first calls the MessageBoxa function in this process and then jumps to the entry point of the Messageboxa of the dynamic link library. That is: Call MessageBoxa (0040106C) JMP DWORD PTR [_JMP_MESSAGEBOXA @ 16 (00425294)] The content stored in 00425294 is the entry address of the MessageBoxa function. If we do your hands and feet, then ... then get started! We need to define two structure type PImage_Import_Entry = ^ Image_Import_Entry; Image_Import_Entry = record Characteristics: DWORD; TimeDateStamp: DWORD; MajorVersion: Word; MinorVersion: Word; Name: DWORD; LookupTable: DWORD; end; type TImportCode = packed record JumpInstruction: Word; FILE: / / Define Jump Command JMP AddressOfPointertOfunction: ^ Pointer; File: / / Defines the function end to jump to; pimportcode = ^ TIMPORTCODE; then determines the address of the function.
