5,388
社区成员
发帖
与我相关
我的任务
分享弟兄们帮忙看一下,我看一了一个晚上都弄不明白为什么。
我正在编写一个替换系统API的类,但是遇到了奇怪的问题,我把关键代码列出来,请弟兄们帮忙看一下。
PImage_Import_Entry = ^Image_Import_Entry;
Image_Import_Entry = packed record
Characteristics: DWORD;
TimeDateStamp: DWORD;
MajorVersion: Word;
MinorVersion: Word;
Name: DWORD;
LookupTable: DWORD;
end;
TImportCode = packed record
JumpInstruction: Word;
AddressOfPointerToFunction: ^Pointer;
end;
PImportCode = ^TImportCode;
procedure TAPIHook.RepalceAllAPI(DestModName:PChar;Destproc:Pointer;SourceProc:Pointer);
var
Snapshot:THandle;
B:Bool;
me:MODULEENTRY32;
SelfMod:THandle;
ImageSize:Cardinal;
ImportDesc:PImage_Import_Entry;
ModName:Pchar;
ImpCode:PImportCode;
P:^Pointer;
function LocateFunctionAddress(Code: Pointer): Pointer;
begin
Result := Code;
if Code = nil then exit;
try
if (PImportCode(Code).JumpInstruction = $25FF) then
begin
Result := PImportCode(Code).AddressOfPointerToFunction^;
end;
except
Result := nil;
end;
end;
begin
try
Snapshot:=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,GetCurrentProcessId);
if Snapshot<>INVALID_HANDLE_VALUE then
begin
me.dwSize:=SizeOf(MODULEENTRY32);
SelfMod:=GetSelfMod;
B:=Module32First(Snapshot,me);
while B do
begin
if me.hModule<>SelfMod then
begin
ImportDesc:=PImage_Import_Entry(ImageDirectoryEntryToData(Pointer(me.hModule),True,IMAGE_DIRECTORY_ENTRY_IMPORT,ImageSize));
if ImportDesc<>nil then
begin
if ImportDesc.Name<>0 then
begin
ModName:=PChar(me.hModule+ImportDesc.Name);
while StrComp(DestModName,ModName)<>0 do
begin
inc(ImportDesc);
ModName:=PChar(me.hModule+ImportDesc.Name);
end;
P:=Pointer(me.hModule+ImportDesc.LookupTable);
ImpCode:=PImportCode(P^);
while ImpCode<>nil do
begin
//ImpCode:=LocateFunctionAddress(ImpCode);
if (ImpCode=Destproc)then//问题出在这儿,始终没有地址匹配的API找到,我弄不明白啊!
begin
SetHookAPI(P,@SourceProc);
ImpCode:=nil;
end else
begin
Inc(P);
ImpCode:=PImportCode(P^);
end;
end;
end;
B:=Module32Next(Snapshot,me)
end else
B:=False;
end else
B:=Module32Next(Snapshot,me);
end;
end;
finally
CloseHandle(Snapshot);
end;
end;
问题是,在输入节中就是找不到相关DLL中的API地址。我快疯了。
PImage_Import_Entry = ^Image_Import_Entry;
Image_Import_Entry = packed record
Characteristics: DWORD;
TimeDateStamp: DWORD;
MajorVersion: Word;
MinorVersion: Word;
Name: DWORD;
LookupTable: DWORD;
end;
TImportCode = packed record
JumpInstruction: Word;
AddressOfPointerToFunction: ^Pointer;
end;
PImportCode = ^TImportCode;
procedure TAPIHook.RepalceAllAPI(DestModName:PChar;Destproc:Pointer;SourceProc:Pointer);
var
Snapshot:THandle;
B:Bool;
me:MODULEENTRY32;
SelfMod:THandle;
ImageSize:Cardinal;
ImportDesc:PImage_Import_Entry;
ModName:Pchar;
ImpCode:PImportCode;
P:^Pointer;
function LocateFunctionAddress(Code: Pointer): Pointer;
begin
Result := Code;
if Code = nil then exit;
try
if (PImportCode(Code).JumpInstruction = $25FF) then
begin
Result := PImportCode(Code).AddressOfPointerToFunction^;
end;
except
Result := nil;
end;
end;
begin
try
Snapshot:=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,GetCurrentProcessId);
if Snapshot<>INVALID_HANDLE_VALUE then
begin
me.dwSize:=SizeOf(MODULEENTRY32);
SelfMod:=GetSelfMod;
B:=Module32First(Snapshot,me);
while B do
begin
if me.hModule<>SelfMod then
begin
ImportDesc:=PImage_Import_Entry(ImageDirectoryEntryToData(Pointer(me.hModule),True,IMAGE_DIRECTORY_ENTRY_IMPORT,ImageSize));
if ImportDesc<>nil then
begin
if ImportDesc.Name<>0 then
begin
ModName:=PChar(me.hModule+ImportDesc.Name);
while StrComp(DestModName,ModName)<>0 do
begin
inc(ImportDesc);
ModName:=PChar(me.hModule+ImportDesc.Name);
end;
P:=Pointer(me.hModule+ImportDesc.LookupTable);
ImpCode:=PImportCode(P^);
while ImpCode<>nil do
begin
//ImpCode:=LocateFunctionAddress(ImpCode);
if (ImpCode=Destproc)then//问题出在这儿,始终没有地址匹配的API找到,我弄不明白啊!
begin
SetHookAPI(P,@SourceProc);
ImpCode:=nil;
end else
begin
Inc(P);
ImpCode:=PImportCode(P^);
end;
end;
end;
B:=Module32Next(Snapshot,me)
end else
B:=False;
end else
B:=Module32Next(Snapshot,me);
end;
end;
finally
CloseHandle(Snapshot);
end;
end;
问题是,在输入节中就是找不到相关DLL中的API地址。我快疯了。
...全文
请发表友善的回复…
发表回复
