直接关闭注入的程序或者取消HOOK就会挂掉
直接上代码吧大佬帮我看看为什么
//APIHook 代码
unit APIHook;
interface
uses
SysUtils,
Dialogs,
cq,
unitHook,
Windows, WinSock;
const
LogFile='c:\test.txt';
my_ws2 = 'ws2_32.dll';
//--------------------函数声明---------------------------
procedure HookAPI;
procedure UnHookAPI;
procedure SaveInfo(var buf); stdcall;
function recvout(var Rbuf;RLen:Integer):Integer;
procedure writedat(s: string; datfile: string = logfile);
var
Hook: array[0..1] of TNtHookClass;
G_IsHook : Boolean;
implementation
function Mysenddata(s:TSocket;var Buf;len,flags:Integer):Integer;stdcall;
type
TMysenddata = function (s:TSocket;var Buf;len,flags:Integer):Integer;stdcall;
var
id:DWORD;
begin
Hook[0].UnHook;
recvout(Buf,len); //打印
Result := TMysenddata(Hook[0].BaseAddr)(s, Buf, len, flags);
Hook[0].Hook;
end;
procedure SaveInfo(var buf); stdcall;
var
f: file;
FileName:string;
begin
{保存为文件信息}
FileName:='c:\test.txt';
assignfile(f, FileName);
closefile(f);
end;
function recvout(var Rbuf;RLen:Integer):Integer;
Var
buf1:pchar;
i:integer;
ss,ff,kk:string;
Begin
buf1:=@Rbuf;
for i:=1 to Rlen do
Begin
ss:=ss+inttohex(byte(buf1^),2)+' ';
buf1:=buf1+1;
End;
writedat('封包内容'+'---+----'+'长度:'+inttostr(Rlen)+#$D#$A+ss,'c:\test.txt');
End;
{------------------------------------}
{过程功能:HookAPI
{过程参数:无
{------------------------------------}
procedure HookAPI;
begin
if not G_IsHook then
begin
G_IsHook:=True;
Hook[0] := TNtHookClass.Create(my_ws2, 'Send', @Mysenddata);
end;
end;
{------------------------------------}
{过程功能:取消HOOKAPI
{过程参数:无
{------------------------------------}
procedure UnHookAPI;
begin
Hook[0].UnHook; //这里有什么问题吗???会死掉
end;
procedure WriteDat(s: string; datfile: string = logfile);
var
h: integer;
begin
try
if FileExists(datfile) then
begin
h := FileOpen(datfile, fmOpenWrite);
fileseek(h, 0, 2);
//deletefile(datfile);
end
else exit; //h := filecreate(datfile);
if h = -1 then exit;
s := s + #$0D + #$0A;
FileWrite(h, s[1], length(s));
FileClose(h);
except
end;
end;
end.
-----------------------------------------------
//unitHook代码
unit unitHook;
interface
uses
Windows, Messages, Classes, SysUtils;
type
//NtHook类相关类型
TNtJmpCode=packed record //8字节
MovEax:Byte;
Addr:DWORD;
JmpCode:Word;
dwReserved:Byte;
end;
TNtHookClass=class(TObject)
private
hProcess:THandle;
NewAddr:TNtJmpCode;
OldAddr:array[0..7] of Byte;
ReadOK:Boolean;
public
BaseAddr:Pointer;
constructor Create(DllName,FuncName:string;NewFunc:Pointer);
destructor Destroy; override;
procedure Hook;
procedure UnHook;
end;
implementation
//==================================================
//NtHOOK 类开始
//==================================================
constructor TNtHookClass.Create(DllName: string; FuncName: string;NewFunc:Pointer);
var
DllModule:HMODULE;
dwReserved:DWORD;
begin
//获取模块句柄
DllModule:=GetModuleHandle(PChar(DllName));
//如果得不到说明未被加载
if DllModule=0 then
begin
OutputDebugString(PChar('要 HOOK 的 DLL 未被加载'));
DllModule:=LoadLibrary(PChar(DllName));
end;
OutputDebugString(PChar('模块 DllModule: ' + IntToHex(DllModule, 8)));
//得到模块入口地址(基址)
BaseAddr:=Pointer(GetProcAddress(DllModule, PChar(FuncName)));
OutputDebugString(PChar('模块入口地址(基址): ' + IntToHex(Integer(@BaseAddr), 8)));
//获取当前进程句柄
hProcess:=GetCurrentProcess;
//指向新地址的指针
NewAddr.MovEax:=$B8;
NewAddr.Addr:=DWORD(NewFunc);
NewAddr.JmpCode:=$E0FF;
//保存原始地址
ReadOK:=ReadProcessMemory(hProcess,BaseAddr,@OldAddr,8,dwReserved);
//开始拦截
Hook;
end;
//释放对象
destructor TNtHookClass.Destroy;
begin
UnHook;
CloseHandle(hProcess);
inherited;
end;
//开始拦截
procedure TNtHookClass.Hook;
var
dwReserved:DWORD;
begin
if (ReadOK=False) then
begin
OutputDebugString(PChar('Hook ReadOK = False'));
Exit;
end;
if not WriteProcessMemory(hProcess,BaseAddr,@NewAddr,8,dwReserved) then
OutputDebugString(PChar(' Hook Error...'));
end;
//恢复拦截
procedure TNtHookClass.UnHook;
var
dwReserved:DWORD;
begin
if (ReadOK=False) then
begin
OutputDebugString(PChar('UnHook ReadOK = False'));
Exit;
end;
if not WriteProcessMemory(hProcess,BaseAddr,@OldAddr,8,dwReserved) then
OutputDebugString(PChar(' UnHook Error...'));
end;
end.