Unzip password: hook
As title, XP test is normal, Windows 7 64 test fails, the wonder if
LpAddr:=Pointer (hMod + ImportDescriptor ^. FirstThunk + (iNum - 1) * 4);//XP is normal, there is something wrong with the Windows 7 64??
These are the key source code parts:
function SuperHook () : a Boolean;
Var
HMod: HMODULE;
PDosHeader: PImageDosHeader;
PNtHeaders: PImageNtHeaders;
ImportDescriptor: PImageImportDescriptor;
ThunkData: PImageThunkData;
Dll_name func_name: PAnsiChar;
INum: Integer;
LpAddr: Pointer;
Myaddr: DWORD;
BTW: SIZE_T;
Ordinal: DWORD;
UlSize: DWORD;
PszModName: LPSTR;
The begin
Result:=False;
HMod:=LoadLibrary (' mswsock. DLL);//get the target module base address
If (hMod=0) then
The begin
The Exit;
The end;
PDosHeader:=PImageDosHeader (hMod);//get the DOS head
If (pDosHeader ^. E_magic & lt;> Then IMAGE_DOS_SIGNATURE)
The begin
The Exit;
The end;
PNtHeaders:=PImageNtHeaders (hMod + DWORD (pDosHeader ^. _lfanew));//get NT header
If (pNtHeaders ^. Signature & lt;> Then IMAGE_NT_SIGNATURE)
The begin
The Exit;
The end;
//check whether there is any input table data directory
If (pNtHeaders ^. OptionalHeader. DataDirectory [IMAGE_DIRECTORY_ENTRY_IMPORT] VirtualAddress=0)
Or (pNtHeaders ^. OptionalHeader. DataDirectory [IMAGE_DIRECTORY_ENTRY_IMPORT] Size=0) then
The begin
The Exit;
The end;
//get the input table describes pointer
ImportDescriptor:=PImageImportDescriptor (hMod + pNtHeaders ^. OptionalHeader. The DataDirectory [IMAGE_DIRECTORY_ENTRY_IMPORT] VirtualAddress);
While (ImportDescriptor ^. FirstThunk & lt;> 0) do
The begin
Dll_name:=PAnsiChar (hMod + ImportDescriptor ^. Name);
//OutputDebugString (PChar (Format (' [HOOK] Found "% s" for the hooks. ', [StrPas (dll_name)])));
If (StrIComp (dll_name, 'NTDLL. DLL) & lt;> 0) then//check if input table entries for NTDLL. DLL
The begin
Inc (ImportDescriptor);
The Continue;
The end;
OutputDebugString (PChar (Format (' [HOOK] OK "% s" for the hooks. ', [StrPas (dll_name)])));
ThunkData:=PImageThunkData (hMod + ImportDescriptor ^. CharacteristicsOrOriginalFirstThunk);
INum:=1;
While (ThunkData ^. Function_ & lt;> Nil) do
The begin
Func_name:=PAnsiChar (hMod + ThunkData ^. AddressOfData + 2);
//OutputDebugString (PChar (Format (' [HOOK] find API: % s', [StrPas (func_name)])));
If (StrIComp (func_name, 'NtDeviceIoControlFile')=0) then//find NtDeviceIoControlFile
The begin
OutputDebugString (PChar (Format ('/HOOK Lock "% s" for the hooks. ', [StrPas (func_name)])));
Myaddr:=DWORD (@ NewNtDeviceIoControlFile);//custom process
OutputDebugString (PChar (Format (' HOOK FirstThunk=% d, CharacteristicsOrOriginalFirstThunk=% d ', [ImportDescriptor ^. FirstThunk, ImportDescriptor ^. CharacteristicsOrOriginalFirstThunk])));
If ImportDescriptor ^. FirstThunk & gt; 0 then
The begin
LpAddr:=Pointer (hMod + ImportDescriptor ^. FirstThunk + (iNum - 1) * 4);//XP is normal, there is something wrong with the Windows 7 64???
End
The else
The begin
LpAddr:=Pointer (hMod + ImportDescriptor ^. CharacteristicsOrOriginalFirstThunk + dwords (iNum - 1) * 4);
The end;
OldNtDeviceIoControl:=PDWORD (lpAddr) ^;//the original address
OutputDebugString (PChar (Format (' [HOOK] Base=0.8 X %, Thunk=% 0.8 X, X 'ID=%, [hMod, ImportDescriptor ^. FirstThunk, iNum - 1))));
OutputDebugString (PChar (Format (' Orign [HOOK] [0 X % 0.8 X)=0 X % 0.8 X, new Addr=0 X % 0.8 X ', [DWORD (lpAddr), PDWORD (lpAddr) ^, myaddr])));//XP PDWORD (lpAddr) ^ value is normal, WI764 this value is empty
WriteProcessMemory (GetCurrentProcess (), lpAddr, @ myaddr, SizeOf (FARPROC), BTW).
Result:=True;
The Exit;
The end;
Inc (iNum);
Inc (ThunkData);
The end;
Inc (ImportDescriptor);
The end;
The end;
The source code has been packaged into the cloud disk, it is good to change 64 compiled test pass, thank you so much!
CodePudding user response:
Regardless of your problem, in this Hook, Hook is the import table, simply GetProcAddress call for function addresses can't call you again all the hooksCodePudding user response:
In WinXP, Win2003 system can be normal HOOK under WIN764 circumstances would have failed, in this respect is not very understand how to solve the
