advapihook.pas

多种检测隐藏进程的源代码 驱动采用C++编写 主程序采用Delphi编写

{
  Advanced API Hook Libary v 1.1
  Coded By Ms-Rem ( Ms-Rem@yandex.ru ) ICQ 286370715
}

unit advApiHook;

{$IMAGEBASE $13140000}

interface

uses
  Windows, NativeAPI, LDasm;

function InjectString(Process: dword; Text: PChar): PChar;

function InjectThread(Process: dword; Thread: pointer; Info: pointer;
                      InfoLen: dword; Results: boolean): THandle;

Function InjectDll(Process: dword; ModulePath: PChar): boolean;
function InjectDllEx(Process: dword; Src: pointer): boolean;
function InjectExe(Process: dword; Data: pointer): boolean;
function InjectThisExe(Process: dword; EntryPoint: pointer): boolean;
function InjectMemory(Process: dword; Memory: pointer; Size: dword): pointer;
function ReleaseLibrary(Process: dword; ModulePath: PChar): boolean;

function CreateProcessWithDll(lpApplicationName: pchar;
                              lpCommandLine: pchar;
                              lpProcessAttributes,
                              lpThreadAttributes: PSecurityAttributes;
                              bInheritHandles: boolean;
                              dwCreationFlags: dword;
                              lpEnvironment: pointer;
                              lpCurrentDirectory: pchar;
                              const lpStartupInfo: TStartupInfo;
                              var lpProcessInformation: TProcessInformation;
                              ModulePath: PChar): boolean;

function CreateProcessWithDllEx(lpApplicationName: PChar;
                                lpCommandLine: PChar;
                                lpProcessAttributes,
                                lpThreadAttributes: PSecurityAttributes;
                                bInheritHandles: boolean;
                                dwCreationFlags: dword;
                                lpEnvironment: pointer;
                                lpCurrentDirectory: PChar;
                                const lpStartupInfo: TStartupInfo;
                                var lpProcessInformation:
                                TProcessInformation;
                                Src: pointer): boolean;

function HookCode(TargetProc, NewProc: pointer; var OldProc: pointer): boolean;

function HookProc(lpModuleName, lpProcName: PChar;
                  NewProc: pointer; var OldProc: pointer): boolean;

function UnhookCode(OldProc: pointer): boolean;

function GetProcAddressEx(Process: dword; lpModuleName,
                          lpProcName: pchar; dwProcLen: dword): pointer;

Function StopProcess(ProcessId: dword): boolean;
Function RunProcess(ProcessId: dword): boolean;
Function StopThreads(): boolean;
Function RunThreads(): boolean;
function EnablePrivilegeEx(Process: dword; lpPrivilegeName: PChar):Boolean;
function EnablePrivilege(lpPrivilegeName: PChar):Boolean;
function EnableDebugPrivilegeEx(Process: dword):Boolean;
function EnableDebugPrivilege():Boolean;
function GetProcessId(pName: PChar): dword;
Function OpenProcessEx(dwProcessId: DWORD): THandle;
Function SearchProcessThread(ProcessId: dword): dword;
function CreateZombieProcess(lpCommandLine: pchar;
                             var lpProcessInformation: TProcessInformation;
                             ModulePath: PChar): boolean;
function InjectDllAlt(Process: dword; ModulePath: PChar): boolean;
Function DebugKillProcess(ProcessId: dword): boolean;
function SearchSignature(pCode: pointer; Size: dword; pSign: pointer; sSize: dword): pointer;

implementation

type
TTHREADENTRY32 = packed record
  dwSize: DWORD;
  cntUsage: DWORD;
  th32ThreadID: DWORD;
  th32OwnerProcessID: DWORD;
  tpBasePri: Longint;
  tpDeltaPri: Longint;
  dwFlags: DWORD;
  end;

TPROCESSENTRY32 = packed record
  dwSize: DWORD;
  cntUsage: DWORD;
  th32ProcessID: DWORD;
  th32DefaultHeapID: DWORD;
  th32ModuleID: DWORD;
  cntThreads: DWORD;
  th32ParentProcessID: DWORD;
  pcPriClassBase: Longint;
  dwFlags: DWORD;
  szExeFile: array[0..MAX_PATH - 1] of Char;
  end;


TModuleList = array of dword;

PImageImportDescriptor = ^TImageImportDescriptor;
TImageImportDescriptor = packed record
  OriginalFirstThunk: dword;
  TimeDateStamp: dword;
  ForwarderChain: dword;
  Name: dword;
  FirstThunk: dword;
  end;

PImageBaseRelocation = ^TImageBaseRelocation;
TImageBaseRelocation = packed record
  VirtualAddress: dword;
  SizeOfBlock: dword;
  end;

TStringArray = array of string;

TDllEntryProc = function(hinstDLL: HMODULE; dwReason: dword;
                         lpvReserved: pointer): boolean; stdcall;

PLibInfo = ^TLibInfo;
TLibInfo = packed record
  ImageBase: pointer;
  ImageSize: longint;
  DllProc: TDllEntryProc;
  DllProcAddress: pointer;
  LibsUsed: TStringArray;
  end;

TSections = array [0..0] of TImageSectionHeader;

const
  IMPORTED_NAME_OFFSET   = $00000002;
  IMAGE_ORDINAL_FLAG32   = $80000000;
  IMAGE_ORDINAL_MASK32   = $0000FFFF;
  THREAD_ALL_ACCESS      = $001F03FF;
  THREAD_SUSPEND_RESUME  = $00000002;
  TH32CS_SNAPTHREAD      = $00000004;
  TH32CS_SNAPPROCESS     = $00000002;

Function CreateToolhelp32Snapshot(dwFlags, th32ProcessID: DWORD): dword stdcall;
                                  external 'kernel32.dll';
Function Thread32First(hSnapshot: THandle; var lpte: TThreadEntry32): BOOL stdcall;
                                  external 'kernel32.dll';
Function Thread32Next(hSnapshot: THandle; var lpte: TThreadENtry32): BOOL stdcall;
                                  external 'kernel32.dll';
Function Process32First(hSnapshot: THandle; var lppe: TProcessEntry32): BOOL stdcall;
                                  external 'kernel32.dll';
Function Process32Next(hSnapshot: THandle; var lppe: TProcessEntry32): BOOL stdcall;
                                  external 'kernel32.dll';

Function OpenThread(dwDesiredAccess: dword;
                    bInheritHandle: bool;
                    dwThreadId: dword): dword; stdcall;
                                  external 'kernel32.dll';

function SaveOldFunction(Proc: pbyte; Old: pbyte): dword; forward;
function MapLibrary(Process: dword; Dest, Src: pointer): TLibInfo; forward;

//**********
function StrToInt(S: string): integer;
begin
 Val(S, Result, Result);
end;

procedure Add(Strings: TStringArray; Text: string);
begin
  SetLength(Strings, Length(Strings) + 1);
  Strings[Length(Strings) - 1] := Text;
end;

function Find(Strings: array of string; Text: string; var Index: integer): boolean;
 var
  StringLoop: integer;
begin
  Result := False;
  for StringLoop := 0 to Length(Strings) - 1 do
    if lstrcmpi(pchar(Strings[StringLoop]), pchar(Text)) = 0 then
    begin
      Index := StringLoop;
      Result := True;
    end;
end;

function GetSectionProtection(ImageScn: dword): dword;
begin
  Result := 0;
  if (ImageScn and IMAGE_SCN_MEM_NOT_CACHED) <> 0 then Result := Result or PAGE_NOCACHE;
  if (ImageScn and IMAGE_SCN_MEM_EXECUTE) <> 0 then
    begin
     if (ImageScn and IMAGE_SCN_MEM_READ)<> 0 then
      begin
       if (ImageScn and IMAGE_SCN_MEM_WRITE)<> 0 then Result := Result or PAGE_EXECUTE_READWRITE
           else Result := Result or PAGE_EXECUTE_READ;
      end else
      if (ImageScn and IMAGE_SCN_MEM_WRITE) <> 0 then Result := Result or PAGE_EXECUTE_WRITECOPY
        else Result := Result or PAGE_EXECUTE;
    end else
    if (ImageScn and IMAGE_SCN_MEM_READ)<> 0 then
     begin
      if (ImageScn and IMAGE_SCN_MEM_WRITE) <> 0 then Result := Result or PAGE_READWRITE
        else Result := Result or PAGE_READONLY;
     end else
     if (ImageScn and IMAGE_SCN_MEM_WRITE) <> 0 then Result := Result or PAGE_WRITECOPY
      else Result := Result or PAGE_NOACCESS;
end;

{ 马邃疱龛