hookreg.dpr

注册表监视 DELPHI代码

//Copyright 2003 codesky.net

library HookReg;

{$IMAGEBASE $59800000}

uses Windows,SysUtils,madCodeHook;

// ***************************************************************


var
  RegSetValueExNextHook : function (hKey: HKEY; lpValueName: PChar;Reserved: DWORD; dwType: DWORD; lpData: Pointer; cbData: DWORD): Longint; stdcall;

  RegCreateKeyExNextHook : function (hKey: HKEY; lpSubKey: PAnsiChar;
  Reserved: DWORD; lpClass: PAnsiChar; dwOptions: DWORD; samDesired: REGSAM;
  lpSecurityAttributes: PSecurityAttributes; var phkResult: HKEY;
  lpdwDisposition: PDWORD): Longint; stdcall;

  RegOpenKeyExNextHook : function(hKey: HKEY; lpSubKey: PAnsiChar;
  ulOptions: DWORD; samDesired: REGSAM; var phkResult: HKEY): Longint; stdcall;

  MyHKey:HKEY;
  MySubKey:String;

function GetHKeyStr(HKey:HKEY):String;
begin

if Hkey=HKEY_CLASSES_ROOT then
  result:='HKEY_CLASSES_ROOT'
else if Hkey=HKEY_CURRENT_USER then
  result:='HKEY_CURRENT_USER'
else if Hkey=HKEY_LOCAL_MACHINE then
  result:='HKEY_LOCAL_MACHINE'
else if Hkey=HKEY_USERS then
  result:='HKEY_USERS'
else if Hkey=HKEY_PERFORMANCE_DATA then
  result:='HKEY_PERFORMANCE_DATA'
else if Hkey=HKEY_CURRENT_CONFIG then
  result:='HKEY_CURRENT_CONFIG'
else if Hkey=HKEY_DYN_DATA then
  result:='HKEY_DYN_DATA';
end;

Function Byte2Str(B:Byte):String;
VAR
 s:String;
Begin
 STR(B,s);
 Byte2Str:=s;
End;
function GetKeyType(dwType:DWORD):String;
begin
if dwType=REG_SZ then
  result:='字符串'
else if dwType=REG_DWORD then
  result:='整型'
else if dwType=REG_BINARY then
  result:='二进制数据'
else if dwType=REG_EXPAND_SZ then
  result:='扩展字符串';
end;

function RegSetValueExHook(hKey: HKEY; lpValueName: PChar;Reserved: DWORD; dwType: DWORD; lpData: Pointer; cbData: DWORD): Longint; stdcall;
var
  sData: array of char;
  msg:String;
  F:textfile;
  filename:String;
begin
setlength(sData,cbData);
copymemory(sData,lpData,cbData);

msg:='';
msg:=msg+'BootKey:'+GetHKeyStr(MyHKey)+#13+#10;
msg:=msg+'SubKey:'+MySubKey+#13+#10;
msg:=msg +'键名: '+ lpValueName+#13+#10;
msg:=msg +'值类型: '+ GetKeyType(dwType)+#13+#10;
msg:=msg +'值: '+ string(sData)+#13+#10+#13+#10;
//写文件
filename:='c:\tem.txt';
AssignFile(F,filename);
if fileexists(filename) then
  Append(F)
else
  Rewrite(F);
writeln(F,msg);
Closefile(F);

//MessageBox(0, pchar(msg), '注册正被改写', MB_YESNO or MB_ICONQUESTION);
result := RegSetValueExNextHook(hKey,lpValueName,Reserved,dwType,lpData,cbData);
end;

function RegCreateKeyExHook(hKey: HKEY; lpSubKey: PAnsiChar;
  Reserved: DWORD; lpClass: PAnsiChar; dwOptions: DWORD; samDesired: REGSAM;
  lpSecurityAttributes: PSecurityAttributes; var phkResult: HKEY;
  lpdwDisposition: PDWORD): Longint; stdcall;
begin
MyHKey:=hKey;
MySubKey:=lpSubKey;
result:=RegCreateKeyExNextHook(hKey,lpSubKey,
  Reserved,lpClass,dwOptions,samDesired,
  lpSecurityAttributes,phkResult,
  lpdwDisposition);
end;

function RegOpenKeyExHook(hKey: HKEY; lpSubKey: PAnsiChar;
  ulOptions: DWORD; samDesired: REGSAM; var phkResult: HKEY): Longint; stdcall;
begin
MyHKey:=hKey;
MySubKey:=lpSubKey;
result:=RegOpenKeyExNextHook(hKey,lpSubKey,
  ulOptions,samDesired,phkResult);
end;




// ***************************************************************

begin
  HookAPI('advapi32.dll', 'RegCreateKeyExA', @RegCreateKeyExHook, @RegCreateKeyExNextHook);
  HookAPI('advapi32.dll', 'RegOpenKeyExA', @RegOpenKeyExHook, @RegOpenKeyExNextHook);
  HookAPI('advapi32.dll', 'RegSetValueExA', @RegSetValueExHook, @RegSetValueExNextHook);
end.