generic.dpr

Cracker终结者——提供最优秀的软件保护技术

program Generic;
{$APPTYPE CONSOLE}
{$HINTS OFF}

{$IFDEF UNICODE}
uses Windows, SysUtils, ApiHooksW;
{$ELSE}
uses Windows, SysUtils, ApiHooks;
{$ENDIF}
//----------------------------------------------------------------------------

{$IFDEF UNICODE}
type Char = WideChar;
type PChar = PWideChar;
{$ENDIF}

type MessageBoxAType   = function(hWnd :HWND; lpText, lpCaption :PAnsiChar;
                                  uType :UINT) :Integer; stdcall;
type MessageBoxWType   = function(hWnd :HWND; lpText, lpCaption :PWideChar;
                                  uType :UINT) :Integer; stdcall;

const
  MAX_ADDRESSES  =1;     // ~space for original addresses
  TIME_LIMIT     =10000; // 10 sec
var
  Pid            :DWORD;
  hTarget        :DWORD;
  AHResult       :DWORD;
  pRCI           :PRCINFO;
  AHBase         :DWORD;
  FilePart       :PChar;
  FullDllName    :array[0..MAX_PATH-1] of Char;
  ExcludeThem    :array[0..0] of DWORD;
  AddrContentsA  :array[0..MAX_ADDRESSES-1] of ADDR_CONTENTS;
  AddrContentsW  :array[0..MAX_ADDRESSES-1] of ADDR_CONTENTS;
  ApiUnhookA     :API_UNHOOK = (MaxNoAddr: MAX_ADDRESSES; CurNoAddr: 0;
                                WhereWhat: @AddrContentsA);
  ApiUnhookW     :API_UNHOOK = (MaxNoAddr: MAX_ADDRESSES; CurNoAddr: 0;
                                WhereWhat: @AddrContentsW);
//----------------------------------------------------------------------------

function NewMessageBoxA(hWnd :HWND; lpText, lpCaption :PAnsiChar;
                        uType :UINT) :Integer; stdcall;
begin
  //call original MesageBoxA but change caption to 'Goodbye':
  NewMessageBoxA :=
  MessageBoxAType(ApiUnhookA.WhereWhat[0].ReturnWhat)(hWnd,lpText,
                  'Goodbye',uType);
end;

function NewMessageBoxW(hWnd :HWND; lpText, lpCaption :PWideChar;
                        uType :UINT) :Integer; stdcall;
begin
  //call original MesageBoxW but change caption to 'Farewell':
  NewMessageBoxW :=
  MessageBoxWType(ApiUnhookW.WhereWhat[0].ReturnWhat)(hWnd,lpText,
                  'Farewell',uType);
end;

var
  ApiHookChainW  :array[0..2] of API_HOOK = (
  (ModuleExport: HOOKS_DYNAMIC; UnhookAddresses: nil),
  (ModuleExport: 'USER32.dll'; ApiNameOrOrd: 'MessageBoxW'; dwFlags: HOOK_BY_ADDRESS or HOOK_BY_NAME; ModuleImport: MAIN_MODULE; UnhookAddresses: @ApiUnhookW; HookAddress: @NewMessageBoxW),
  (ModuleExport: HOOKS_END)
  );
//----------------------------------------------------------------------------

begin
  // First spawn Calculator (here normally => not suspended)
  // of course CreateProcess(..CREATE_SUSPENDED..) can be used
  // (and hooks/module aplication/loading would be easier)
  WinExec('Calc',SW_SHOWNORMAL);

  AHBase := hIsModuleLoaded(nil,'ApiHooks.dll',GetCurrentProcess(),0);
  pRCI := GetDefaultRCInfo;
  WriteLn(Format('ApiHooks.dll loaded at %.8X'#10'Default RCINFO at: %P',
         [AHBase, pRCI]));
  Sleep(1000); //WaitForInputIdle

{$IFDEF UNICODE}
  if GetWindowThreadProcessId(FindWindowW('SciCalc',nil), @Pid) <> 0 then
{$ELSE}
  if GetWindowThreadProcessId(FindWindow('SciCalc',nil), @Pid) <> 0 then
{$ENDIF}
  begin
{$IFDEF UNICODE}
   GetFullPathNameW('ShellAbout.dll', MAX_PATH, FullDllName, FilePart);
{$ELSE}
   GetFullPathName('ShellAbout.dll', MAX_PATH, FullDllName, FilePart);
{$ENDIF}
   AHResult := EstablishApiHooks(nil,FullDllName,Pid,TIME_LIMIT);
   if  AHResult = ErrorAWSuccess then
     WriteLn(#10'Now invoke ''About Calculator''')
   else
     if (AHResult = ErrorAHTimeOut) then
       WriteLn(#10'Can''t get result of hooking CALC.EXE - wait, then invoke ''About Calculator''')
     else
       WriteLn(#10'Hooking CALC.EXE failed!');
  end;

  // Now hook MessageBoxA called from main (this) module via HookApi:

  // 1) ExcludeModules list (OPTIONAL) must be NULL terminated (just for testing):
  ExcludeThem[0] := 0;
  {  2) Hook MessageBoxA of main module.
        Using HOOK_BY_ADDRESS has 2 purposes:
        a) Modules written in Delphi can't be hooked by HOOK_IMPORT (like it
           was packed).
        b) Because I violate the rule that UnhookAddresses can't be used for
           calling original API.
           It is allowed to use UnhookAddresses ONLY if you haven't
           specified HOOK_EXPORT. It means HOOK_ALL and HOOK_EXACT (they
           contain HOOK_EXPORT) can't be used too.
  }
{$IFDEF UNICODE}
  HookApi('USER32.dll','MessageBoxA',HOOK_BY_ADDRESS, PWideChar(MAIN_MODULE),@ApiUnhookA,
           @NewMessageBoxA,@ExcludeThem);
{$ELSE}
  HookApi('USER32.dll','MessageBoxA',HOOK_BY_ADDRESS,MAIN_MODULE,@ApiUnhookA,
           @NewMessageBoxA,@ExcludeThem);
{$ENDIF}

  // Now hook MessageBoxW called from main (this) module via dynamic hooks:
  hEstablishApiHooks(nil,@ApiHookChainW,GetCurrentProcess(),0);

  MessageBoxA(0,'Called with ''Hello'' title','Hello',0);
  MessageBoxW(0,'Called with ''Hello'' title','Hello',0);
end.