type TIMAGE_IMPORT_Code =packed record JumpCode: Word; FunctionProc: PPointer; end; type PIMAGE_IMPORT_CODE=^TIMAGE_IMPORT_CODE; Procedure SetFunc(OldFunc:Ppointer; NewFunc:Pointer); var written: DWORD; OLDPROT:DWORD; begin VirtualProtect(OLDFUNC,SIZEOF(NEWFUNC),PAGE_READWRITE,OLDPROT); WriteProcessMemory(GetCurrentProcess,OldFunc,@NewFunc,4,written); VirtualProtect(OLDFUNC,SIZEOF(NEWFUNC),OLDPROT,NIL); end;PROCEDURE SETAPI; VAR CODE:PIMAGE_IMPORT_CODE; BEGIN CODE:=@MESSAGEBOX; SETFUNC(CODE^.FunctionProc,@VMESSAGEBOX); END;
MH=LoadLibrary("User32.dll");
func=GetProcAddress(MH,"MessageBeep");
钩这个函数……
去看看Windows核心编程~
Iam21bird(世纪菜鸟:要多菜就多菜) 我脑子没病不会做这行,还有不会叫大头明白没?所以这里不需要你解释
JumpCode: Word;
FunctionProc: PPointer;
end;
type PIMAGE_IMPORT_CODE=^TIMAGE_IMPORT_CODE;
Procedure SetFunc(OldFunc:Ppointer; NewFunc:Pointer);
var
written: DWORD;
OLDPROT:DWORD;
begin
VirtualProtect(OLDFUNC,SIZEOF(NEWFUNC),PAGE_READWRITE,OLDPROT);
WriteProcessMemory(GetCurrentProcess,OldFunc,@NewFunc,4,written);
VirtualProtect(OLDFUNC,SIZEOF(NEWFUNC),OLDPROT,NIL);
end;PROCEDURE SETAPI;
VAR CODE:PIMAGE_IMPORT_CODE;
BEGIN
CODE:=@MESSAGEBOX;
SETFUNC(CODE^.FunctionProc,@VMESSAGEBOX);
END;
比如, 我前一阵子写的.(只贴一部份)
//---------------------------------------------------------------------------
//
// MyGetProcAddress
//
//---------------------------------------------------------------------------
FARPROC WINAPI MyGetProcAddress(HMODULE hmod, PCSTR pszProcName)
{
//--------------------------------------------------------
// 先尝试取得EnumProcesses函数的地址
m_pfnEnumProcesses = (PFNENUMPROCESSES)::GetProcAddress(
::GetModuleHandleA("Psapi.DLL"),
"EnumProcesses"
); // 很有可能这个DLL还没有加载, 让我们手动加载它
if (NULL == m_pfnEnumProcesses)
{
HMODULE m_hModPSAPI = ::LoadLibraryA("Psapi.DLL");
if (NULL == m_hModPSAPI)
{
// 加载失败, 返回FALSE
return FALSE;
}
m_pfnEnumProcesses = (PFNENUMPROCESSES)
::GetProcAddress(m_hModPSAPI,"EnumProcesses");
if (NULL == m_pfnEnumProcesses)
{
return FALSE;
}
}
//--------------------------------------------------------
// 尝试取得NtQuerySystemInformation的函数地址
m_pfnNtQuerySystemInformation =
(PFN_NtQuerySystemInformation)::GetProcAddress(
::GetModuleHandleA("Ntdll.DLL"),
"NtQuerySystemInformation"
);
// 很有可能这个DLL还没有加载, 让我们手动加载它
if (NULL == m_pfnNtQuerySystemInformation)
{
HMODULE m_hModNtdll = ::LoadLibraryA("Ntdll.DLL");
if (NULL == m_hModNtdll)
{
// 加载失败, 返回FALSE
return FALSE;
}
m_pfnNtQuerySystemInformation = (PFN_NtQuerySystemInformation)
::GetProcAddress(
m_hModNtdll,
"NtQuerySystemInformation"
);
if (NULL == m_pfnNtQuerySystemInformation)
{
return FALSE;
}
}
FARPROC pfn = ::GetProcAddress(hmod, pszProcName); // 如果有进程企图取得我们要拦截的原函数地址, 转接它们到我们自己的函数地址
if (pfn == (FARPROC)m_pfnEnumProcesses)
{
return (FARPROC)MyEnumProcesses;
}
if (pfn == (FARPROC)m_pfnNtQuerySystemInformation)
{
return (FARPROC)MyNtQuerySystemInformation;
} // ...... 还有几个函数, 不写上来了........
// 如果有更多的函数需要拦截, 请自行增加... return pfn;