1,184
社区成员
发帖
与我相关
我的任务
分享求救,Imput Hook 的问题,XP正常,Win7 64失败了。。。
源代码下载:http://pan.baidu.com/s/1pJPy0IZ
解压密码:hook
如题,XP测试正常,WIN7 64测试失败了,其中怀疑是不是
lpAddr := Pointer(hMod + ImportDescriptor^.FirstThunk + (iNum - 1) * 4); //XP正常,Win7 64有问题??
下面是关键的源代码部分:
源代码已经打包到云盘,改64编译测试通过就好,非常感谢各位高手!
解压密码:hook
如题,XP测试正常,WIN7 64测试失败了,其中怀疑是不是
lpAddr := Pointer(hMod + ImportDescriptor^.FirstThunk + (iNum - 1) * 4); //XP正常,Win7 64有问题??
下面是关键的源代码部分:
function SuperHook(): Boolean;
var
hMod: HMODULE;
pDosHeader: PImageDosHeader;
pNtHeaders: PImageNtHeaders;
ImportDescriptor: PImageImportDescriptor;
ThunkData: PImageThunkData;
dll_name, func_name: PAnsiChar;
iNum: Integer;
lpAddr: Pointer;
myaddr: DWORD;
btw: SIZE_T;
Ordinal: DWORD;
ulSize: DWORD;
pszModName: LPSTR;
begin
Result := False;
hMod := LoadLibrary('mswsock.dll'); //得到目标的模块基址
if (hMod = 0) then
begin
Exit;
end;
pDosHeader := PImageDosHeader(hMod); //得到DOS头
if (pDosHeader^.e_magic <> IMAGE_DOS_SIGNATURE) then
begin
Exit;
end;
pNtHeaders := PImageNtHeaders(hMod + DWORD(pDosHeader^._lfanew)); //得到NT头
if (pNtHeaders^.Signature <> IMAGE_NT_SIGNATURE) then
begin
Exit;
end;
//检查输入表数据目录是否存在
if (pNtHeaders^.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = 0)
or (pNtHeaders^.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = 0) then
begin
Exit;
end;
//得到输入表描述指针
ImportDescriptor := PImageImportDescriptor(hMod + pNtHeaders^.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
while (ImportDescriptor^.FirstThunk <> 0) do
begin
dll_name := PAnsiChar(hMod + ImportDescriptor^.Name);
//OutputDebugString(PChar(Format('[HOOK] Found "%s" for HOOK.', [StrPas(dll_name)])));
if (StrIComp(dll_name, 'ntdll.dll') <> 0) then //检查输入表项是否为ntdll.dll
begin
Inc(ImportDescriptor);
Continue;
end;
OutputDebugString(PChar(Format('[HOOK] OK "%s" for HOOK.', [StrPas(dll_name)])));
ThunkData := PImageThunkData(hMod + ImportDescriptor^.CharacteristicsOrOriginalFirstThunk);
iNum := 1;
while (ThunkData^.Function_ <> nil) do
begin
func_name := PAnsiChar(hMod + ThunkData^.AddressOfData + 2);
//OutputDebugString(PChar(Format('[HOOK] find API: %s', [StrPas(func_name)])));
if (StrIComp(func_name, 'NtDeviceIoControlFile') = 0) then //找到 NtDeviceIoControlFile
begin
OutputDebugString(PChar(Format('[HOOK] Lock "%s" for HOOK.', [StrPas(func_name)])));
myaddr := DWORD(@NewNtDeviceIoControlFile); //自定义过程
OutputDebugString(PChar(Format('[HOOK] FirstThunk=%d,CharacteristicsOrOriginalFirstThunk=%d', [ImportDescriptor^.FirstThunk, ImportDescriptor^.CharacteristicsOrOriginalFirstThunk])));
if ImportDescriptor^.FirstThunk > 0 then
begin
lpAddr := Pointer(hMod + ImportDescriptor^.FirstThunk + (iNum - 1) * 4); //XP正常,Win7 64有问题???
end
else
begin
lpAddr := Pointer(hMod + ImportDescriptor^.CharacteristicsOrOriginalFirstThunk + DWORD(iNum - 1) * 4);
end;
OldNtDeviceIoControl := PDWORD(lpAddr)^; //原始地址
OutputDebugString(PChar(Format('[HOOK] Base=%0.8X, Thunk=%0.8X, ID=%X', [hMod, ImportDescriptor^.FirstThunk, iNum - 1])));
OutputDebugString(PChar(Format('[HOOK] Orign[0x%0.8X]=0x%0.8X, new Addr=0x%0.8X', [DWORD(lpAddr), PDWORD(lpAddr)^, myaddr]))); //XP PDWORD(lpAddr)^ 值正常,WI764此值为空
WriteProcessMemory(GetCurrentProcess(), lpAddr, @myaddr, SizeOf(FARPROC), btw);
Result := True;
Exit;
end;
Inc(iNum);
Inc(ThunkData);
end;
Inc(ImportDescriptor);
end;
end;源代码已经打包到云盘,改64编译测试通过就好,非常感谢各位高手!
...全文
请发表友善的回复…
发表回复
