📄 advapihook.pas
字号:
{
Advanced API Hook Libary.
Coded By Ms-Rem ( Ms-Rem@yandex.ru ) ICQ 286370715
}
unit advApiHook;
{$IMAGEBASE $13140000}
interface
uses
Windows,
NativeAPI;
function SizeOfCode(Code: pointer): dword;
function SizeOfProc(Proc: pointer): dword;
function InjectString(Process: dword; Text: PChar): PChar;
function InjectThread(Process: dword; Thread: pointer; Info: pointer;
InfoLen: dword; Results: boolean): THandle;
Function InjectDll(Process: dword; ModulePath: PChar): boolean;
function InjectDllEx(Process: dword; Src: pointer): boolean;
function InjectExe(Process: dword; Data: pointer): boolean;
function InjectThisExe(Process: dword; EntryPoint: pointer): boolean;
function InjectMemory(Process: dword; Memory: pointer; Size: dword): pointer;
function ReleaseLibrary(Process: dword; ModulePath: PChar): boolean;
function CreateProcessWithDll(lpApplicationName: pchar;
lpCommandLine: pchar;
lpProcessAttributes,
lpThreadAttributes: PSecurityAttributes;
bInheritHandles: boolean;
dwCreationFlags: dword;
lpEnvironment: pointer;
lpCurrentDirectory: pchar;
const lpStartupInfo: TStartupInfo;
var lpProcessInformation: TProcessInformation;
ModulePath: PChar): boolean;
function CreateProcessWithDllEx(lpApplicationName: PChar;
lpCommandLine: PChar;
lpProcessAttributes,
lpThreadAttributes: PSecurityAttributes;
bInheritHandles: boolean;
dwCreationFlags: dword;
lpEnvironment: pointer;
lpCurrentDirectory: PChar;
const lpStartupInfo: TStartupInfo;
var lpProcessInformation:
TProcessInformation;
Src: pointer): boolean;
function HookCode(TargetProc, NewProc: pointer; var OldProc: pointer): boolean;
function HookProc(lpModuleName, lpProcName: PChar;
NewProc: pointer; var OldProc: pointer): boolean;
function UnhookCode(OldProc: pointer): boolean;
function DisableSFC: boolean;
function GetProcAddressEx(Process: dword; lpModuleName,
lpProcName: pchar; dwProcLen: dword): pointer;
Function StopProcess(ProcessId: dword): boolean;
Function RunProcess(ProcessId: dword): boolean;
Function StopThreads(): boolean;
Function RunThreads(): boolean;
function EnablePrivilegeEx(Process: dword; lpPrivilegeName: PChar):Boolean;
function EnablePrivilege(lpPrivilegeName: PChar):Boolean;
function EnableDebugPrivilegeEx(Process: dword):Boolean;
function EnableDebugPrivilege():Boolean;
function GetProcessId(pName: PChar): dword;
Function OpenProcessEx(dwProcessId: DWORD): THandle;
Function SearchProcessThread(ProcessId: dword): dword;
function CreateZombieProcess(lpCommandLine: pchar;
var lpProcessInformation: TProcessInformation;
ModulePath: PChar): boolean;
function InjectDllAlt(Process: dword; ModulePath: PChar): boolean;
Function DebugKillProcess(ProcessId: dword): boolean;
implementation
type
TTHREADENTRY32 = packed record
dwSize: DWORD;
cntUsage: DWORD;
th32ThreadID: DWORD;
th32OwnerProcessID: DWORD;
tpBasePri: Longint;
tpDeltaPri: Longint;
dwFlags: DWORD;
end;
TPROCESSENTRY32 = packed record
dwSize: DWORD;
cntUsage: DWORD;
th32ProcessID: DWORD;
th32DefaultHeapID: DWORD;
th32ModuleID: DWORD;
cntThreads: DWORD;
th32ParentProcessID: DWORD;
pcPriClassBase: Longint;
dwFlags: DWORD;
szExeFile: array[0..MAX_PATH - 1] of Char;
end;
TModuleList = array of dword;
PImageImportDescriptor = ^TImageImportDescriptor;
TImageImportDescriptor = packed record
OriginalFirstThunk: dword;
TimeDateStamp: dword;
ForwarderChain: dword;
Name: dword;
FirstThunk: dword;
end;
PImageBaseRelocation = ^TImageBaseRelocation;
TImageBaseRelocation = packed record
VirtualAddress: dword;
SizeOfBlock: dword;
end;
TStringArray = array of string;
TDllEntryProc = function(hinstDLL: HMODULE; dwReason: dword;
lpvReserved: pointer): boolean; stdcall;
PLibInfo = ^TLibInfo;
TLibInfo = packed record
ImageBase: pointer;
ImageSize: longint;
DllProc: TDllEntryProc;
DllProcAddress: pointer;
LibsUsed: TStringArray;
end;
TSections = array [0..0] of TImageSectionHeader;
const
IMPORTED_NAME_OFFSET = $00000002;
IMAGE_ORDINAL_FLAG32 = $80000000;
IMAGE_ORDINAL_MASK32 = $0000FFFF;
THREAD_ALL_ACCESS = $001F03FF;
THREAD_SUSPEND_RESUME = $00000002;
TH32CS_SNAPTHREAD = $00000004;
TH32CS_SNAPPROCESS = $00000002;
Opcodes1: array [0..255] of word =
(
$4211, $42E4, $2011, $20E4, $8401, $8C42, $0000, $0000, $4211, $42E4,
$2011, $20E4, $8401, $8C42, $0000, $0000, $4211, $42E4, $2011, $20E4,
$8401, $8C42, $0000, $0000, $4211, $42E4, $2011, $20E4, $8401, $8C42,
$0000, $0000, $4211, $42E4, $2011, $20E4, $8401, $8C42, $0000, $8000,
$4211, $42E4, $2011, $20E4, $8401, $8C42, $0000, $8000, $4211, $42E4,
$2011, $20E4, $8401, $8C42, $0000, $8000, $0211, $02E4, $0011, $00E4,
$0401, $0C42, $0000, $8000, $6045, $6045, $6045, $6045, $6045, $6045,
$6045, $6045, $6045, $6045, $6045, $6045, $6045, $6045, $6045, $6045,
$0045, $0045, $0045, $0045, $0045, $0045, $0045, $0045, $6045, $6045,
$6045, $6045, $6045, $6045, $6045, $6045, $0000, $8000, $00E4, $421A,
$0000, $0000, $0000, $0000, $0C00, $2CE4, $0400, $24E4, $0000, $0000,
$0000, $0000, $1400, $1400, $1400, $1400, $1400, $1400, $1400, $1400,
$1400, $1400, $1400, $1400, $1400, $1400, $1400, $1400, $0510, $0DA0,
$0510, $05A0, $0211, $02E4, $A211, $A2E4, $4211, $42E4, $2011, $20E4,
$42E3, $20E4, $00E3, $01A0, $0000, $E046, $E046, $E046, $E046, $E046,
$E046, $E046, $8000, $0000, $0000, $0000, $0000, $0000, $0000, $8000,
$8101, $8142, $0301, $0342, $0000, $0000, $0000, $0000, $0401, $0C42,
$0000, $0000, $8000, $8000, $0000, $0000, $6404, $6404, $6404, $6404,
$6404, $6404, $6404, $6404, $6C45, $6C45, $6C45, $6C45, $6C45, $6C45,
$6C45, $6C45, $4510, $45A0, $0800, $0000, $20E4, $20E4, $4510, $4DA0,
$0000, $0000, $0800, $0000, $0000, $0400, $0000, $0000, $4110, $41A0,
$4110, $41A0, $8400, $8400, $0000, $8000, $0008, $0008, $0008, $0008,
$0008, $0008, $0008, $0008, $1400, $1400, $1400, $1400, $8401, $8442,
$0601, $0642, $1C00, $1C00, $0000, $1400, $8007, $8047, $0207, $0247,
$0000, $0000, $0000, $0000, $0000, $0000, $0008, $0008, $0000, $0000,
$0000, $0000, $0000, $0000, $4110, $01A0
);
Opcodes2: array [0..255] of word =
(
$0118, $0120, $20E4, $20E4, $FFFF, $0000, $0000, $0000, $0000, $0000,
$FFFF, $FFFF, $FFFF, $0110, $0000, $052D, $003F, $023F, $003F, $023F,
$003F, $003F, $003F, $023F, $0110, $FFFF, $FFFF, $FFFF, $FFFF, $FFFF,
$FFFF, $FFFF, $4023, $4023, $0223, $0223, $FFFF, $FFFF, $FFFF, $FFFF,
$003F, $023F, $002F, $023F, $003D, $003D, $003F, $003F, $0000, $8000,
$8000, $8000, $0000, $0000, $FFFF, $FFFF, $FFFF, $FFFF, $FFFF, $FFFF,
$FFFF, $FFFF, $FFFF, $FFFF, $20E4, $20E4, $20E4, $20E4, $20E4, $20E4,
$20E4, $20E4, $20E4, $20E4, $20E4, $20E4, $20E4, $20E4, $20E4, $20E4,
$4227, $003F, $003F, $003F, $003F, $003F, $003F, $003F, $003F, $003F,
$003F, $003F, $003F, $003F, $003F, $003F, $00ED, $00ED, $00ED, $00ED,
$00ED, $00ED, $00ED, $00ED, $00ED, $00ED, $00ED, $00ED, $00ED, $00ED,
$0065, $00ED, $04ED, $04A8, $04A8, $04A8, $00ED, $00ED, $00ED, $0000,
$FFFF, $FFFF, $FFFF, $FFFF, $FFFF, $FFFF, $0265, $02ED, $1C00, $1C00,
$1C00, $1C00, $1C00, $1C00, $1C00, $1C00, $1C00, $1C00, $1C00, $1C00,
$1C00, $1C00, $1C00, $1C00, $4110, $4110, $4110, $4110, $4110, $4110,
$4110, $4110, $4110, $4110, $4110, $4110, $4110, $4110, $4110, $4110,
$0000, $0000, $8000, $02E4, $47E4, $43E4, $C211, $C2E4, $0000, $0000,
$0000, $42E4, $47E4, $43E4, $0020, $20E4, $C211, $C2E4, $20E4, $42E4,
$20E4, $22E4, $2154, $211C, $FFFF, $FFFF, $05A0, $42E4, $20E4, $20E4,
$2154, $211C, $A211, $A2E4, $043F, $0224, $0465, $24AC, $043F, $8128,
$6005, $6005, $6005, $6005, $6005, $6005, $6005, $6005, $FFFF, $00ED,
$00ED, $00ED, $00ED, $00ED, $02ED, $20AC, $00ED, $00ED, $00ED, $00ED,
$00ED, $00ED, $00ED, $00ED, $00ED, $00ED, $00ED, $00ED, $00ED, $00ED,
$003F, $02ED, $00ED, $00ED, $00ED, $00ED, $00ED, $00ED, $00ED, $00ED,
$FFFF, $00ED, $00ED, $00ED, $00ED, $00ED, $00ED, $00ED, $00ED, $00ED,
$00ED, $00ED, $00ED, $00ED, $00ED, $0000
);
Opcodes3: array [0..9] of array [0..15] of word =
(
($0510, $FFFF, $4110, $4110, $8110, $8110, $8110, $8110, $0510, $FFFF,
$4110, $4110, $8110, $8110, $8110, $8110),
($0DA0, $FFFF, $41A0, $41A0, $81A0, $81A0, $81A0, $81A0, $0DA0, $FFFF,
$41A0, $41A0, $81A0, $81A0, $81A0, $81A0),
($0120, $0120, $0120, $0120, $0120, $0120, $0120, $0120, $0036, $0036,
$0030, $0030, $0036, $0036, $0036, $0036),
($0120, $FFFF, $0120, $0120, $0110, $0118, $0110, $0118, $0030, $0030,
$0000, $0030, $0000, $0000, $0000, $0000),
($0120, $0120, $0120, $0120, $0120, $0120, $0120, $0120, $0036, $0036,
$0036, $0036, $FFFF, $0000, $FFFF, $FFFF),
($0120, $FFFF, $0120, $0120, $FFFF, $0130, $FFFF, $0130, $0036, $0036,
$0036, $0036, $0000, $0036, $0036, $0000),
($0128, $0128, $0128, $0128, $0128, $0128, $0128, $0128, $0236, $0236,
$0030, $0030, $0236, $0236, $0236, $0236),
($0128, $FFFF, $0128, $0128, $0110, $FFFF, $0110, $0118, $0030, $0030,
$0030, $0030, $0030, $0030, $FFFF, $FFFF),
($0118, $0118, $0118, $0118, $0118, $0118, $0118, $0118, $0236, $0236,
$0030, $0236, $0236, $0236, $0236, $0236),
($0118, $FFFF, $0118, $0118, $0130, $0128, $0130, $0128, $0030, $0030,
$0030, $0030, $0000, $0036, $0036, $FFFF)
);
Function CreateToolhelp32Snapshot(dwFlags, th32ProcessID: DWORD): dword stdcall;
external 'kernel32.dll';
Function Thread32First(hSnapshot: THandle; var lpte: TThreadEntry32): BOOL stdcall;
external 'kernel32.dll';
Function Thread32Next(hSnapshot: THandle; var lpte: TThreadENtry32): BOOL stdcall;
external 'kernel32.dll';
Function Process32First(hSnapshot: THandle; var lppe: TProcessEntry32): BOOL stdcall;
external 'kernel32.dll';
Function Process32Next(hSnapshot: THandle; var lppe: TProcessEntry32): BOOL stdcall;
external 'kernel32.dll';
Function OpenThread(dwDesiredAccess: dword;
bInheritHandle: bool;
dwThreadId: dword): dword; stdcall;
external 'kernel32.dll';
function SaveOldFunction(Proc: pointer; Old: pointer): dword; forward;
function MapLibrary(Process: dword; Dest, Src: pointer): TLibInfo; forward;
//**********
function StrToInt(S: string): integer;
begin
Val(S, Result, Result);
end;
procedure Add(Strings: TStringArray; Text: string);
begin
SetLength(Strings, Length(Strings) + 1);
Strings[Length(Strings) - 1] := Text;
end;
function Find(Strings: array of string; Text: string; var Index: integer): boolean;
var
StringLoop: integer;
begin
Result := False;
for StringLoop := 0 to Length(Strings) - 1 do
if lstrcmpi(pchar(Strings[StringLoop]), pchar(Text)) = 0 then
begin
Index := StringLoop;
Result := True;
end;
end;
function GetSectionProtection(ImageScn: dword): dword;
begin
Result := 0;
if (ImageScn and IMAGE_SCN_MEM_NOT_CACHED) <> 0 then
Result := Result or PAGE_NOCACHE;
if (ImageScn and IMAGE_SCN_MEM_EXECUTE) <> 0 then
begin
if (ImageScn and IMAGE_SCN_MEM_READ)<> 0 then
begin
if (ImageScn and IMAGE_SCN_MEM_WRITE)<> 0 then
Result := Result or PAGE_EXECUTE_READWRITE
else Result := Result or PAGE_EXECUTE_READ;
end
else if (ImageScn and IMAGE_SCN_MEM_WRITE) <> 0 then
Result := Result or PAGE_EXECUTE_WRITECOPY
else Result := Result or PAGE_EXECUTE;
end
else if (ImageScn and IMAGE_SCN_MEM_READ)<> 0 then
begin
if (ImageScn and IMAGE_SCN_MEM_WRITE) <> 0 then
Result := Result or PAGE_READWRITE
else Result := Result or PAGE_READONLY;
end
else if (ImageScn and IMAGE_SCN_MEM_WRITE) <> 0 then
Result := Result or PAGE_WRITECOPY
else Result := Result or PAGE_NOACCESS;
end;
//***********
{项塍麇龛⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -