Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- UNIT APIHook;
- {!INFO
- MODULENAME = 'APIHook'
- VERSION = '1.00'
- AUTHOR = 'Berserker'
- DESCRIPTION = 'Содержит набор процедур и функций для вторжения в процессы'
- }
- INTERFACE
- USES Windows, SysUtils, TLHELP32;
- CONST
- C_OVERWRITEEXISTING = FALSE;
- C_ERRORHANDLE = 0;
- C_ASMBLOCKSIZE = 20;
- thread_Terminate = $00000001;
- thread_Suspend_Resume = $00000002;
- thread_Get_Context = $00000008;
- thread_Set_Context = $00000010;
- thread_Set_Information = $00000020;
- thread_Query_Information = $00000040;
- thread_Set_Thread_Token = $00000080;
- thread_Impersonate = $00000100;
- thread_Direct_Impersonation = $00000200;
- thread_All_Access = Standard_Rights_Required or Synchronize or $3FF;
- TYPE
- TCreateProcessFunc = FUNCTION(var PI: TProcessInformation; const SI: TStartupInfo; CurDir: PChar; Env: Pointer; CreationFlags: DWord; InheritHandles: Bool; ThreadAttrs, ProcessAttrs: PSecurityAttributes; CmdLine, AppName: PChar): INTEGER;
- PHookBuffer = ^THookBuffer;
- THookBuffer = ARRAY [0..4] OF BYTE;
- {* PROCEDURES AND FUNCTIONS *}
- {< DuplicateModule >
- Создаёт копию библиотеки под новым именем в текущем каталоге, загружает её и возвращает её дескриптор}
- FUNCTION DuplicateModule(name: STRING): THandle;
- {< FullPath >
- Возвращает полный путь к файлу в том же каталоге, что и программа}
- FUNCTION FullPath(FileName: STRING): STRING;
- PROCEDURE AddHook(OldProc, NewProc: POINTER; Buffer: PHookBuffer);
- PROCEDURE RemoveHook(OldProc: POINTER; CONST Buffer: PHookBuffer);
- PROCEDURE AddAPIHook(Module, OldProc: STRING; NewProc: POINTER; Buffer: PHookBuffer);
- PROCEDURE RemoveAPIHook(Module, OldProc: STRING; Buffer: PHookBuffer);
- FUNCTION GetFullPath (CONST Path: STRING): STRING;
- PROCEDURE RunProcessWithHookDll(ExeFile, DllFile: STRING; VAR PInfo: TProcessInformation);
- PROCEDURE KillAllThreads;
- FUNCTION OpenThread(dwDesiredAccess: DWord; bInheritHandle: Bool; fwThreadId: DWord): THandle; STDCALL; EXTERNAL 'kernel32.dll' NAME 'OpenThread';
- VAR
- CmdLine: STRING = '';
- IMPLEMENTATION
- FUNCTION DuplicateModule(name: STRING): THandle;
- VAR
- FullPath: STRING;
- FileName: STRING;
- WinDir: STRING;
- BEGIN
- FullPath:=SysUtils.ExpandFileName(name);
- FileName:='HOOK_'+ExtractFileName(name);
- IF NOT FileExists(FullPath) THEN BEGIN
- SetLength(WinDir, 256);
- SetLength(WinDir, GetWindowsDirectory(@WinDir[1], 256));
- FullPath:=WinDir+'\SYSTEM32\'+name;
- END; // .if dll is in system32 directory
- IF NOT FileExists(FileName) THEN BEGIN
- IF NOT CopyFile(PCHAR(FullPath), PCHAR(FileName), C_OVERWRITEEXISTING) THEN BEGIN
- RESULT:=C_ERRORHANDLE; EXIT;
- END; // .if we cannot copy module
- END; // .if there is no already hooked module in current directory
- RESULT:=LoadLibrary(PCHAR(FileName));
- END; // .procedure DuplicateModule
- FUNCTION FullPath(FileName: STRING): STRING;
- VAR
- Buffer: STRING;
- Temp: PCHAR;
- BEGIN
- SetLength(Buffer, 8092);
- SetLength(Buffer, Windows.GetFullPathName(PCHAR(FileName), 8092, PCHAR(Buffer), Temp));
- RESULT:=Buffer;
- END; // .function FullPath
- PROCEDURE AddHook(OldProc, NewProc: POINTER; Buffer: PHookBuffer);
- VAR
- OldPageProtect: INTEGER;
- BEGIN
- VirtualProtect(OldProc, 5, PAGE_EXECUTE_READWRITE, @OldPageProtect);
- IF Buffer<>NIL THEN BEGIN
- CopyMemory(@Buffer^[0], NewProc, 5);
- END; // .if we want to backup old data
- PBYTE(OldProc)^:=$E9; // jmp addr 32
- PINTEGER(INTEGER(OldProc)+1)^:=INTEGER(NewProc)-INTEGER(OldProc)-5;
- VirtualProtect(OldProc, 5, OldPageProtect, @OldProc);
- END; // .procedure AddHook
- PROCEDURE RemoveHook(OldProc: POINTER; CONST Buffer: PHookBuffer);
- VAR
- OldPageProtect: INTEGER;
- BEGIN
- VirtualProtect(OldProc, 5, PAGE_EXECUTE_READWRITE, @OldPageProtect);
- CopyMemory(OldProc, @Buffer^[0], 5);
- VirtualProtect(OldProc, 5, OldPageProtect, @OldProc);
- END; // .procedure RemoveHook
- PROCEDURE AddAPIHook(Module, OldProc: STRING; NewProc: POINTER; Buffer: PHookBuffer);
- BEGIN
- AddHook(GetProcAddress(LoadLibrary(PCHAR(Module)), PCHAR(OldProc)), NewProc, Buffer);
- END; // .procedure AddAPIHook
- PROCEDURE RemoveAPIHook(Module, OldProc: STRING; Buffer: PHookBuffer);
- BEGIN
- RemoveHook(GetProcAddress(LoadLibrary(PCHAR(Module)), PCHAR(OldProc)), Buffer);
- END; // .procedure RemoveAPIHook
- PROCEDURE Ready(EventName: STRING);
- VAR
- Wait: INTEGER;
- BEGIN
- Wait:=OpenEvent(EVENT_ALL_ACCESS, FALSE, PCHAR(EventName));
- PulseEvent(Wait);
- CloseHandle(Wait);
- END; // .procedure Ready
- FUNCTION GetFullPath (CONST Path: STRING): STRING;
- VAR
- Buf: STRING; // Буфер для полного пути
- Temp: PCHAR;
- BEGIN
- SetLength(Buf, 1024);
- SetLength(Buf, Windows.GetFullPathName(PCHAR(Path), 1024, @Buf[1], Temp));
- RESULT:=Buf;
- END; // .function GetFullPath
- PROCEDURE RunProcessWithHookDll(ExeFile, DllFile: STRING; VAR PInfo: TProcessInformation);
- VAR
- si: TStartupInfo;
- AsmBlockAddr: POINTER;
- Temp: INTEGER;
- WriteBuf: ARRAY[0..C_ASMBLOCKSIZE-1] OF BYTE;
- Buf: INTEGER;
- LibNameAddr: POINTER;
- Kernel: INTEGER;
- BEGIN
- FillChar(si, SizeOf(si), #0);
- si.cb:=SizeOf(si);
- ExeFile:=GetFullPath(ExeFile);
- DllFile:=GetFullPath(DllFile);
- CreateProcess(PCHAR(ExeFile), PCHAR(CmdLine), NIL, NIL, FALSE, CREATE_SUSPENDED, NIL, PCHAR(ExtractFilePath(ExeFile)), si, PInfo);
- AsmBlockAddr:=VirtualAllocEx(PInfo.hProcess, NIL, C_ASMBLOCKSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- LibNameAddr:=VirtualAllocEx(PInfo.hProcess, NIL, Length(DllFile)+1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- Kernel:=LoadLibrary('kernel32.dll');
- Buf:=INTEGER(@WriteBuf);
- PBYTE(Buf)^:=$68;
- PINTEGER(Buf+1)^:=INTEGER(LibNameAddr);
- PBYTE(Buf+5)^:=$E8;
- PINTEGER(Buf+6)^:=INTEGER(GetProcAddress(Kernel, 'LoadLibraryA'))-INTEGER(AsmBlockAddr)-10;
- PBYTE(Buf+10)^:=$68;
- PINTEGER(Buf+11)^:=0;
- PBYTE(Buf+15)^:=$E8;
- PINTEGER(Buf+16)^:=INTEGER(GetProcAddress(Kernel, 'ExitThread'))-INTEGER(AsmBlockAddr)-20;
- WriteProcessMemory(PInfo.hProcess, LibNameAddr, PCHAR(DllFile), Length(DllFile)+1, CARDINAL(Temp));
- WriteProcessMemory(PInfo.hProcess, AsmBlockAddr, @WriteBuf, C_ASMBLOCKSIZE, CARDINAL(Temp));
- WaitForSingleObject
- (
- CreateRemoteThread(PInfo.hProcess, NIL, 0, AsmBlockAddr, @Temp, 0, CARDINAL(Temp)),
- Windows.INFINITE
- );
- ResumeThread(PInfo.hThread);
- END; // .procedure RunProcessWithHookDll
- PROCEDURE KillAllThreads;
- VAR
- CurThread: CARDINAL;
- CurProcess: CARDINAL;
- hSnap: INTEGER;
- Snap: TTHREADENTRY32;
- BEGIN
- CurThread:=GetCurrentThreadID;
- CurProcess:=GetCurrentProcessID;
- hSnap:=CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
- ZeroMemory(@Snap, SIZEOF(TTHREADENTRY32));
- Snap.dwSize:=SIZEOF(TTHREADENTRY32);
- IF Thread32First(hSnap, Snap) THEN BEGIN
- REPEAT
- IF (Snap.th32OwnerProcessID=CurProcess) AND (Snap.th32ThreadID<>CurThread) THEN BEGIN
- TerminateThread(OpenThread(THREAD_ALL_ACCESS, TRUE, Snap.th32ThreadID), 0);
- END; // .if
- UNTIL NOT Thread32Next(hSnap, Snap);
- END; // .if
- END; // .procedure KillAllThreads
- BEGIN
- END.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement