Talking about API HOOK Technology (2)
Here I will have to turn it. Some said that the content to modify the memory is going to enter Ring 0. However, Windows itself provides a write memory instruction WriteProcessMemory. With this tool, we have almost omnipresent. Such as the change of the game, etc. We only talk about APIHOOK. function RepointFunction (OldFunc, NewFunc: Pointer): Integer; var IsDone: TList; function RepointAddrInModule (hModule: THandle; OldFunc, NewFunc: Pointer): Integer; var Dos: PImageDosHeader; NT: PImageNTHeaders; ImportDesc: PImage_Import_Entry; RVA: DWORD; Func: ^ Pointer; DLL: STRING; F: POINTER; Written: DWORD; Begin Result: = 0; DOS: = Pointer (hmodule); if isdone.indexof (dos)> = 0 THEN EXIT; isDOSDOSDD (DOS) ;
Oldfunc: = LocateFunctionAddress (Oldfunc);
IF IsBadreadptr (DOS, SIGAGEDOSHEADER) THEN EXIT; if Dos.e_magic <> image_dos_signature kiln exit; NT: = Pointer (Integer (DOS) DOS._LFANEW);
RVA: = NT ^ .OPTIONALHEADER.DATADIRECTORY [image_directory_entry_import] .virtualAddress;
IF RVA = 0 THEN EXIT; ImportDesc: = Pointer (Integer (DOS) RVA); While (ImportDesc ^ .name <> 0) Do Begin DLL: = Pchar (Integer (DOS) ImportDesc ^ .Name); RepointAddrinModule GetModuleHandle (PChar (DLL)), OldFunc, newFunc); Func: = Pointer (Integer (DOS) ImportDesc.LookupTable); while Func ^ <> nil do begin f: = LocateFunctionAddress (Func ^); if f = OldFunc then Begin WriteProcessMemory (GetcurrentProcess, Func, @newfunc, 4, written); if Written> 0 THEN INC (RESULT); END; INC); end; incod;
Begin isDone: = TList.Create; TList: = repointaddrinmodule (getModuleHandle (NIL), OldFunc, newFunc); Finally isDone.Free; end; end; With these two functions, we can almost change any API functions. We can write a DLL file first. I am here to modify the text correlation function as an example: first define several functions: type ttextouta = function (DC: hdc; x, y: integer; str: pansichar; count: integer): Bool; stdcall; ttextoutw = function (DC: HDC; x, y: integer; str: pwidechar; count: integer; stdcall; ttextout = function (dc: hdc; x, y: integer; str: pchar; count: integer: bool; stdcall; tdrawtexta = function (hDC: HDC; lpString: PAnsiChar; nCount: Integer; var lpRect: TRect; uFormat: UINT): Integer; stdcall; TDrawTextW = function (hDC: HDC; lpString: PWideChar; nCount: Integer; var lpRect: TRect; uFormat : UINT): Integer; stdcall; TDrawText = function (hDC: HDC; lpString: PChar; nCount: Integer; var lpRect: TRect; uFormat: UINT): Integer; stdcall; var OldTextOutA: TTextOutA; OldTextOutW: TTextOutW; OldTextOut: TTextOut ; OldDrawTextA: TDrawTextA; OldDrawTextW: TDrawTextW; OldDrawText: TDrawText; ...... function MyTextOutA (DC: HDC; X, Y: Integer; Str: PAnsiChar; Count: Integer): BOOL; stdcall; begin OldTextOutA (DC, X, Y, 'ABC', Length ('ABC')); End; Functio N mytextoutw (dc: hdc; x, y: integer; str: pWideChar; count: integer: Bool; stdcall; begin Oldtextoutw (DC, X, Y, 'ABC', Length ('ABC')); end;
Function mytextout (DC: hdc; x, y: integer; str: pchar; count: integer): Bool; stdcall; begin OldtextOut (DC, X, Y, 'ABC', Length ('ABC')); end;
function MyDrawTextA (hDC: HDC; lpString: PAnsiChar; nCount: Integer; var lpRect: TRect; uFormat: UINT): Integer; stdcall; begin OldDrawTextA (hDC, 'ABC', length ( 'ABC'), lpRect, uFormat); end; function MyDrawTextW (hDC: HDC; lpString: PWideChar; nCount: Integer; var lpRect: TRect; uFormat: UINT): Integer; stdcall; begin OldDrawTextW (hDC, 'ABC', length ( 'ABC'), lpRect, uFormat END;
Function MyDrawText (HDC: HDC; LPSTRING: PCHAR; NCOUNT: INTEGER; VAR LPRECT: TRECT; UFORMAT: UINT): Integer; stdcall; begin OlddrawText (HDC, 'ABC', Length ('ABC'), LPRECT, UFORMAT; END;
